Regulation 7 min read

Verification of Payee and PSD2 Strong Customer Authentication

It is easy to assume strong customer authentication already covers payment safety. It does not. SCA and Verification of Payee answer two different questions, and you need both.

By Verification of Payee EU · powered by RoxPay

Key takeaways

  • SCA under PSD2 authenticates the payer: it confirms who is initiating the payment.
  • VoP confirms the payee: it checks the money is going to the intended account.
  • Authenticating the payer does nothing to stop a payment sent to the wrong account.

Strong customer authentication (SCA), introduced by PSD2, has done a great deal to reduce unauthorised fraud — payments made by someone who is not the account holder. But a huge and growing share of losses comes from authorised payments: the genuine customer, properly authenticated, sends money to an account they believe is correct but is not. SCA cannot help there, because the payer is exactly who they claim to be.

Two questions, two controls

  • SCA asks: is this really the account holder initiating the payment?
  • VoP asks: does the destination account actually belong to the intended payee?
  • A scam victim passes SCA perfectly while sending money to a fraudster.

Why you need both

Authentication and payee verification protect different stages. One secures the identity of the person paying; the other secures the destination of the funds.

  1. 1 SCA at initiation confirms the payer and reduces account takeover and unauthorised fraud.
  2. 2 VoP before authorisation confirms the payee and reduces misdirected and authorised push payment fraud.
  3. 3 Together they close both the 'who is paying' and 'who is being paid' gaps.

Strong auth is not strong enough alone

A perfectly authenticated payer can still be tricked into paying a fraudster. Verification of Payee is the layer that addresses that, which is why the Instant Payments Regulation mandates it separately.

RoxPay's Verification of Payee complements your existing SCA, adding the payee-side confirmation that authentication was never designed to provide.

All articles
FAQ

Frequently asked

No. SCA authenticates the payer, not the payee. A correctly authenticated customer can still be tricked into sending money to the wrong account, which is what VoP addresses.

No. They are complementary. SCA secures who is initiating the payment; VoP secures where the money is going. You need both.

SCA comes from PSD2; the obligation to offer Verification of Payee comes from the Instant Payments Regulation. They are separate requirements addressing different risks.

Keep reading

The Instant Payments Regulation & VoP Why VoP is mandated separately. APP Fraud Prevention Stopping authorised push payment fraud.

Add the payee-side layer

Talk to RoxPay about adding Verification of Payee alongside your existing SCA.

Talk to an expert Prevent APP fraud