Okay did its first compliance audit back in 2016. At the time, the audit framework was provided by the European Central Bank (ECB), in the form of the 2014 “Assessment Guide for the Security of Internet Payments”. Here, one idea sticks out: when a multi-purpose device is used for the ownership element, the payment and SCA should be done in a separate or independent channels. This was smart considering how internet banking was done ten years ago.
Eventually, the ECB recognised that banks would start using apps as a possession factor because two factors were already needed to use the app. Payments then could be initiated with just a password. However, given that viruses and malware were quite common, this caused a lot of security problems. In this context, requiring a separate channel for SCA also makes a lot of sense.
During our 2016 audit, the requirement for an independent channel made us have some lengthy discussions. How could we best ensure that our own SCA channel would be both separate and independent from the rest of the mobile device’s operating system? The solution we ended up implementing was to use a separate voice call that could run in tandem with our SDK. This would allow a one time PIN from the voice call to be entered into a secured screen displayed by the SDK.
Looking ahead, we might see future regulation on how to delegate payment authorisation to IoT devices, and how merchants instead of banks can perform SCA. These topics we are already discussing and working on today.
Who is Okay?
Okay is the fully PSD2 compliant Strong Customer Authentication platform that provides transaction and authentication security to apps, shielding the entire authentication process from any threats. We help all issuers, remittance services, and e-wallet providers comply with PSD2’s SCA requirements to deliver multiple authentication methods, including biometrics and strong security mechanisms at the point of transaction. Want to get to know us better? Visit okaythis.com.