New Strong Customer Authentication (SCA) legislation has proven to be among the most controversial change to the way online payments work in years. Some experts have described its potential consequences as a ‘cliff edge’ for online payments, confronting consumers with new demands for authentication and increasing likelihood of declined or abandoned transactions.
The European Banking Authority (EBA) is well aware of the confusion surrounding SCA and is allowing some flexibility in its enforcement. However, the new regulations are in place and it’s a matter of just a few months before countries across Europe begin to enforce them.
What is SCA?
Currently, when an online payment is attempted, one of two things will happen. Either a 3DSecure window will appear and the cardholder will be invited to enter their static passcode or the 3DS process is initiated but is immediately overridden by an issuer-based transaction risk analysis and the 3DS window disappears. Alternatively, the merchant may have issuer-based authentication switched off and instead deploy their own risk analysis.
Strong Customer Authentication aims to improve payment security and is part of the second EU Payment Services Regulations (PSD2). SCA seeks to reduce fraud during the authentication process by changing how banks or other payment services providers validate the identity of the person trying to make a payment or requesting account access. It applies to all online transactions of £30 or €30.
Important dates for SCA
SCA was implemented across Europe on 14 September 2019. However, the lack of clarity and industry readiness has resulted in the EBA issuing statement in June 2019 and October 2019 that created a period of supervisory flexibility, allowing National Competent Authorities to hold back on enforcing the regulation until 31 December 2020.
It is expected that most EEA countries will start enforcing SCA at this time however the UK has announced that their enforcement will start from March 2021. France was initially on a three-year timeline but recent developments suggests that they are falling into line with the EBA’s timeline of the end of this year.
Three types of validation
Under SCA, for card payments, online merchants need to provide more ways for customers to authenticate themselves other than just by validating via their mobile phone. SCA requires consumers to provide two forms of validation out of three possible categories. The three categories of authentication are:
- something only the consumer would know
- by something they possess, such as their SIM or PIN number
- something the user actually is, such as their face, fingerprint, or other biometric
What is the problem with Strong Customer Authentication?
Many banks and third-party providers had expected that data from the consumers’ credit or debit card combined with a ‘one-time password’ would be considered acceptable authentication factors. The EBA’s opinion in June 2019 has confirmed that this is not the case, creating a big problem for card issuers that is taking time to address.
Payments industry influencer, Paul Rodgers, has been amongst the most vocal regarding the potential impact of SCA. Rodgers is a member of the UK’s SCA Programme Steering Group, sits on the UK’s Financial Conduct Authority’s SCA Monitoring Forum and is chairman of payments industry forum Vendorcom. Rodgers told Monneo, ‘With the lack of a cohesive plan and leadership, the card-based ecommerce economy in Europe remains at risk. This is particularly true of the cross-border digital economy as national regulatory authorities continue to pursue varying strategies that will lead to cardholder and consumer confusion. Whether you are a solutions provider or merchant user of payment systems, your business is at risk if you do not respond urgently.”
How do ecommerce merchants comply with SCA?
SCA can usually be achieved through 3DS version 2, also known as EMV 3D Secure. This has been implemented by Mastercard as Mastercard Identity Check and Visa through its Visa Secure solution. Solutions providers are currently being accredited to versions 2.1 and 2.2 of this protocol.
3DS version 2 is more secure and user-friendly than the first iteration of 3DS. While the first 3DS process was effective in reducing fraud by redirecting consumers to an authentication page on their bank’s website, it disrupted the customer journey. Online merchants are especially keen to reduce such points of friction and eliminate opportunities for consumers to drop out of the payment process.
As part of 3DS version 2, data such as device information which is transmitted automatically is likely to be sufficient to authenticate the consumer without them doing anything else. If, however, this data is insufficient to determine the risk involved with the transaction, extra two-factor authentication, mandated under SCA, will be required.
What to do next
Many small online merchants will probably find that 3DS version 2 is sufficient for SCA compliance. Some will need to carefully consider the profile of their transactions and how many are likely to require additional authentication. Merchants should consult with their acquirer or gateway service provider, especially if their gateway is independent of their acquirer. Now is the time to explore whether their transactions could be exempt from SCA requirements to protect their business model and ensure long-term viability.