Secure Customer Authentication: How Not to Do It

person using laptop computer holding card, PCI 3DS
5 min read

In today’s digital-first world, secure customer authentication (SCA) is critical for protecting data and meeting regulatory requirements, such as PSD2. While SCA is designed to enhance security, poorly implemented processes can create frustrating roadblocks for users, leading to delays, inefficiencies, and a poor customer experience.

In this post, we’ll discuss how not to implement SCA, drawing on an example from a business professional who experienced a deeply flawed SCA enrollment process. We’ll also provide practical recommendations for how organizations can balance security with a seamless user experience, ensuring the success of their SCA programs.

The Importance of Secure Customer Authentication (SCA)

SCA plays a vital role in preventing fraud and protecting users by ensuring that only authorized individuals can access sensitive systems and complete transactions. Yet, the process needs to be as user-friendly as it is secure. When an SCA implementation focuses solely on rigid compliance at the expense of the user experience, it can lead to frustration, service disruption, and ultimately, business losses.

The goal of SCA should always be to authenticate the user in a way that is both strong and frictionless. Unfortunately, many organizations overlook this balance and create rigid processes that hurt the customer journey.

A Real-World Example of SCA Enrollment Gone Wrong

To illustrate how not to implement SCA, let’s explore a real-world case where a business professional struggled to enroll in their bank’s authenticator app for SCA purposes. This individual had to replace their phone, and what should have been a simple process turned into months of frustration.

  1. Verifying a Phone Number: The enrollment process required the user to verify their phone number, so the bank could send a text message with a verification code. However, the bank’s system failed to send the text because it did not support non-Irish phone numbers. Despite the international business nature of the user, the bank required a local number, causing weeks of delays. Why the bank prompted for verification of an unsupported number remains unclear.
  2. Alternative Verification Methods: The bank then offered an alternative—sending a letter containing a PIN code to the registered business address. The professional waited for weeks but received no letter. After numerous calls to customer service, they discovered that the bank had been sending letters to an outdated address. The system failed to update the company’s address properly, causing further delays.
  3. Trying Another Temporary Solution: Frustrated, the professional decided to temporarily use a trusted friend’s Irish phone number. After confirming with customer service that this method would work, they attempted enrollment again. However, the app crashed during the process, forcing yet another call to customer service, which ultimately resulted in the issue being escalated without resolution.

Despite being authenticated over the phone multiple times with customer service, the user remained stuck in the app’s enrollment loop for months. It’s important to note that the bank’s regular authentication method—using in-app notifications once enrolled—worked fine. The problem was purely with the initial enrollment process, which had numerous flaws.

What Went Wrong: Key Lessons from the Example

1. Rigid Processes Lead to Frustration

In this case, the bank enforced rigid, one-size-fits-all rules without considering individual user needs, such as international phone numbers. A lack of flexibility led to significant delays and frustration for the customer. Organizations must design their enrollment processes to accommodate different use cases and avoid alienating customers with rigid requirements.

2. Insecure and Inconsistent Verification Methods

Relying on non-secure methods like unregistered postal letters to deliver sensitive authentication codes introduces unnecessary risks. Additionally, the bank’s reliance on a method (text message) that was incompatible with some users only added to the frustration. Organizations must use consistent and secure verification channels that work for all customers, regardless of location.

3. Failure to Align User Experience with Security Goals

The SCA process failed at both ends—providing neither a user-friendly experience nor effective security. Despite having access to proper authentication through phone conversations with customer service, the app failed to deliver the same level of convenience. The goal of SCA is to ensure strong authentication without introducing barriers that disrupt the user journey.

4. Prolonged Delays Impact Business Operations

In a business context, delays in SCA enrollment can have serious consequences. In this case, the professional was unable to use their business card for months, impacting day-to-day operations. For businesses, time is money, and broken processes can hurt both reputation and profitability.

Best Practices for Implementing SCA: Avoiding Common Pitfalls

To avoid the issues outlined above, here are best practices for implementing SCA in a way that ensures both security and user satisfaction:

1. Prioritize User Experience Without Compromising Security

SCA should be designed to protect users without adding friction. Consider using biometrics or app-based solutions for enrollment, which offer a secure yet seamless user experience. The goal is to authenticate the user as smoothly as possible, avoiding unnecessary steps that create frustration.

2. Offer Flexible and Secure Enrollment Options

Organizations must provide multiple secure options for enrolling in SCA. Whether it’s biometricstime-based one-time passwords (TOTP), or push notifications, users should have options that suit their needs and locations. Don’t limit users to SMS, especially if there are geographic restrictions.

3. Ensure Secure Communication Channels

Sensitive data, such as enrollment codes, should not be sent via insecure methods like unregistered mail. Instead, use secure communication channels like encrypted emailpush notifications, or in-app messaging to ensure the integrity of the process.

4. Keep Customer Data Up-to-Date

One of the major delays in the example was caused by outdated business address information. Organizations should ensure customer data is regularly updated and validated. Failing to do so can lead to breakdowns in communication and prolonged delays in enrollment.

5. Leverage Real-Time Authentication

If a user can authenticate over the phone with customer service, there should be no reason why they cannot do so in the app. Real-time authentication helps bridge the gap between traditional customer service and modern digital processes, reducing friction and ensuring a smoother user experience.

6. Collaborate with QSAs for Continuous Improvement

Working closely with a Qualified Security Assessor (QSA) ensures that your SCA processes are secure, compliant, and user-friendly. QSAs can help identify and resolve potential issues early on, ensuring that your enrollment processes meet regulatory standards while providing an excellent user experience.

Recommendations for Organizations Transitioning to SCA

1. Conduct User Testing

Before rolling out any new SCA solution, conduct thorough user testing to identify potential issues and ensure the process is both secure and user-friendly.

2. Optimize for Global Users

In a global business environment, ensure that your authentication methods work for international users. This may mean offering alternatives to SMS, such as app notifications or email verification.

3. Ensure Seamless Customer Service Integration

Your customer service team should be empowered to help users who encounter problems during the SCA enrollment process. If a customer is authenticated via phone, they should be able to move forward with the enrollment without additional barriers.

4. Focus on Speed and Security

The authentication process should be fast and secure. Implementing biometrics or other real-time methods can drastically reduce delays while maintaining strong authentication.

Conclusion

The goal of Secure Customer Authentication (SCA) is to verify the user in a way that is both secure and seamless. The example outlined above illustrates how rigid, poorly designed processes can lead to customer frustration and service disruption. By prioritizing user experience, offering flexible and secure options, and collaborating with Qualified Security Assessors (QSAs), organizations can create SCA systems that meet regulatory requirements while delivering a smooth, efficient user experience.

Now is the time to review your SCA processes and ensure they are built to serve both security needs and customer expectations.

Popular

Navigating the Latest PCI DSS Updates: Addressing Requirements 6.4.3 and 11.6.1 for Client-Side Security

5 min read –The release of PCI DSS v4.0 has introduced significant updates to address emerging threats in the payment ecosystem, particularly...

Now is the Time for Organizations to Adopt the Future-Dated Requirements of PCI DSS v4.x

5 min read –The landscape of payment security continues to evolve, and organizations handling cardholder data must stay ahead of the curve...

Secure Customer Authentication: How Not to Do It

5 min read –In today’s digital-first world, secure customer authentication (SCA) is critical for protecting data and meeting regulatory requirements, such as PSD2. While SCA...

Related articles

Navigating the Latest PCI DSS Updates: Addressing Requirements 6.4.3 and 11.6.1 for Client-Side Security

5 min read –The release of PCI DSS v4.0 has introduced significant updates to address emerging threats in the payment ecosystem, particularly...

Now is the Time for Organizations to Adopt the Future-Dated Requirements of PCI DSS v4.x

5 min read –The landscape of payment security continues to evolve, and organizations handling cardholder data must stay ahead of the curve...

Secure Customer Authentication: How Not to Do It

5 min read –In today’s digital-first world, secure customer authentication (SCA) is critical for protecting data and meeting regulatory requirements, such as PSD2. While SCA...

Your advisor is ready to help now.

Your details