A requirement of the EU Revised Directive on Payment Services (PSD2), strong customer authentication (SCA) was set to boost security, particularly online. However, its implementation may be pushed back past its original deadline. What is holding firms up; themselves or the regulation? Patrick Brusnahan writes
The main aspect of SCA requirements is that multi-factor authentication is needed for electronic payments. While cards with Chip-and-PIN are commonly regarded to already have SCA in the EU, online payments cause a problem.
However, with more factors comes more time spent and many retailers and merchants are not happy to give customers another chance to abandon ship.
Keith McGill, head of ID and fraud at Equifax, believes that this change is necessary, but firms need to be careful to not cause damage to their businesses.
He says: “With fraud increasing, and younger generations who love to shop online particularly vulnerable, it’s vital businesses put stronger payment processes in place. The challenge is to strike the right balance between customer convenience and security.
“The online economy is booming because customers find the experience friendly and frictionless. If the new SCA requirements, designed to reduce fraud, make shopping online inconvenient, the potential damage to retailers in lost digital sales could be significant.
“However, the new checks are broad in scope and allow businesses to be flexible in creating the right customer experience. Multi-factor authentication for example, based on factors only the user would have or know, is already commonly used by the banks with little friction for customers. While adding measures such as facial recognition or one time passcodes introduces an additional hoop for a shopper to jump through, the disruption remains minimal and most people appreciate the efforts being taken by retailers to protect them.
“Retailers must anticipate the many different types of consumer interactions and build processes accordingly. Smartphones and other handheld devices are rich in features such as cameras, fingerprint readers and even e-chip readers which allow for slick interactions, but other devices may not have the same level of functionality. Checks must be put in place to cater for all those scenarios and give consumers choice in how they authenticate themselves.
“With the advent of Open Banking, retailers also have the option to leverage the existing relationship between a customer and their bank by carrying out authentication using their online banking credentials.
“Retailers should think about the steps taken by the customer throughout the payment journey and where and when it will be necessary to introduce SCA. The need for extra checks will shift depending on the cost of transactions, and retailers selling higher value goods and services won’t want to be perceived as having more inconvenient processes than those that fall below the SCA value thresholds. The success of contactless payments clearly illustrates that consumers will quickly adapt to new payment processes, a good example of a workable model that successfully tackles security concerns without sacrificing customer experience.”
Arnaud Crouzet, VP of security and consulting at FIME, takes a similar view. He adds: “Delivering SCA remains a priority. However, debate was rife about how to add new security measures without simply creating more points of friction for consumers. Friction that is, in turn, harming the sales of retailers.
“Enter: EMV® 3-D Secure (3DS), a messaging protocol used to identify and verify cardholders for CNP transactions. The specification improves communication between the issuing bank, the acquirer and the merchant. With more work ‘in the background’, it’s able to streamline the user experience, improve approval rates and reduce fraud.
“A compelling authentication solution fit for the digital, omnichannel age, right? But, as with any major system upgrade, implementation does not come without its challenges. The support from a trusted implementation partner can be key to minimise unexpected delays and costs on the path to service launch.”
Jackie Barwell, director fraud product management at ACI Worldwide, thinks the rollout of SCA will help reduce the amount of fraud conducted online.
“Fraudulent activity is costing European countries a fortune (the UK lost more than £1.2bn in 2018 alone),” she comments.
“SCA launches across Europe on September 14 and from then on consumers making a purchase over €30 will be required to provide multiple forms of authentication pre-checkout. These will include; “something they have”, for example the device being used, “something they are” such as the user’s biometric identity and “something they know”, a pin number/password/security code. Card schemes such as Visa and Mastercard have already rolled out their processes (in this case 3D Secure 2.0) to align with this legislation and ensure merchants are ready for the September deadline.
“However, as with any new regulation there is likely to be teething problems. Fraudsters looking to bypass new security systems eventually always find the means to do so. Whether it’s old-fashioned social engineering techniques to dupe contact centre agents or individuals into giving up valuable information, or utilising bots; hundreds, if not thousands of computers controlled by a single command terminal, to send phishing emails, or to embed malware looking to find key data such as passwords and personal information. SCA could also lead to a rise in fraudsters looking to steal or clone devices, giving them access to one of the key authentication channels.
“SCA is a great step towards protecting online transactions, but will not result in a cure for all fraud overnight. To really batten down the hatches merchants must therefore have a range of sophisticated solutions in place. By having a range of such preventative measures in place, merchants and consumers will be a lot more secure.”
SCA was set to be implemented on September 14 2019, but this is looking less and less likely. While the legal deadline will remain, regulatory bodies are not sure that firms will meet it.
In a statement, the UK’s Financial Conduct Authority (FCA) states: “The FCA recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this.”
The European Banking Authority (EBA) has already said that “limited additional time” can be provided to merchants.
Ralf Ohlhausen, executive advisor at PPRO Group, says: “The delay to the roll-out of the EU-ordered Strong Customer Authentication (SCA) was certainly the right decision to avoid the huge negative impact it would have had on card sales.
“Similar flexibility is also needed to smoothen the introduction of SCA around Open Banking when the EU PSD2 framework becomes effective on September 14th. In many, if not, most cases around Europe, the bank’s dedicated interfaces for Third Party Providers will not be fully ready and they will therefore have to fall back to normal user interfaces.
“However automated services, like low-balance alerts or bookkeeping software, could then not run in the background anymore because users would have to provide second factor authentication all the time. So it is not just card payments, but also many other financial services needing more time before the FCA should enforce SCA in all cases.”
In addition, Tony Hammond, SVP Global Product Delivery at FreedomPay, believes the SCA delays have come naturally due to the complexity of the regulation.
He explains: “Many within the industry have overlooked the fact that two factor authentication will also apply with greater frequency to contactless transactions conducted at point of sale terminals where 1 every 5 transactions or cumulative transactions to the value of £150 will require an additional chip or signature verification. This is likely to have a substantial impact on what has otherwise been a frictionless method of payment and one that has seen the highest growth over any other electronic tender in recent years.
“Many companies have been working to interpret the full impact of PSD2 and how SCA will be applied to a multitude of use cases; some of which had clearly not been anticipated by the European legislature. We have been working extensively with our customers, prospects and partners to inform them of the consequences of SCA and to ensure that all their payment systems are at a full state of readiness across all their sales channels.
“It is my view that by allowing every country’s ‘competent authority’ to negotiate individual national deadlines for SCA compliance only adds unnecessary complexity to what was an already challenging situation. For SCA to work effectively and for merchants to avoid the anticipated increase in declined transactions, all parties in the payment value chain need to have their systems ready simultaneously. There are thousands of companies who need to be certain that their systems inter-operate reliably with others within the eco-system and where the majority are mutually dependent on the readiness of others involved in the payment process.
“The original September deadline provided absolute clarity as to the ‘effective date’ by which SCA should be implemented by all parties, it now remains unclear, particularly for International merchants, as to when acquirers, issuers and authenticators will be at a state of readiness in each country across the European Union.”