After months of delay, Strong Customer Authentication (SCA) finally came into effect on 31 December 2020. The guidelines require merchants in Europe to make online payments more secure by offering multi-factor authentication at the checkout. But how are their solutions fairing? Evie Rusman writes
In order to comply with SCA guidelines, merchants, issuers and acquirers across Europe have had to completely change how they operate – a change which takes time.
Speaking to EPI, Tony Hammond, Senior Vice President for Global Product Delivery at FreedomPay Europe, discusses how the regulation has altered the payments landscape.
He says: “The SCA changes affect the entire payment eco-system from card issuers, to acquirers, to gateway service providers, point of service software providers and so on. When the PSD2 was published, it would inevitably take time for the major card schemes to develop new changes.
“These changes not only need to look at how an account holder was authenticated but also how industry practices would be affected such as the obtaining of card information ‘by proxy’ as is common in the hotel, car hire and other sectors. This has had a major impact on the way that companies in that sector can operate and go forward.”
Hammond argues the industry has not had enough time to prepare for the SCA deadline. “The main challenge for merchants has been the limited time they have had to prepare relative to the publication of revised standards and the inevitable time it takes for changes to be implemented and tested across all systems in the eco-system,” he adds. “These are changes that often take many years – certainly more time than the card industry was allowed.”
Covid strikes again
As well as this, during the lead up to the SCA deadline, industry players were bombarded with a number of extra challenges at the hands of Covid-19.
Due to country lockdowns, people were forced to do most of their shopping online as it was almost impossible to do it by any other means.
As a result, payment fraud levels experienced a spike, with hackers using the pandemic to exploit consumers and obtain their bank card details through methods such as phishing emails.
Cause for concern
Pre-pandemic, fraud was already a serious cause for concern – in Europe in 2018 the total value of fraudulent transactions conducted using cards issued within the SEPA was $1.8bn. Card not present (CNP) payments dominated this figure, accounting for 79% of card fraud.
And Covid-19 has only accelerated this. In the first half of 2020, banks reported an 84% increase in impersonation scams, as criminals exploited the crisis.
This has meant that banks, merchants, issuers, and acquirers had to act fast and create tools sufficient to withstand such attacks.
Speaking to EPI, Tony Hammond, managing director at FreedomPay Europe, discusses how merchants are doing when it comes to providing efficient, SCA-compliant solutions.
He says: “So long as merchants implement 3DS version 2.x then they stand the best chance of removing friction and/or authentication challenges in their on-line sales and ordering processes. In short, without 3DS2, they should reasonably expect to see a steady increase in declined transactions from European card issuers as of 1st January this year.”
Shopping cart abandonment
Hammond has also warned that SCA regulations could cause shopping cart abandonment to rise.
“If the merchant has not taken steps to implement 3DS2 and/or obtained the necessary exemptions from SCA,” he says. “From the consumer’s point of view, it’s likely they will see their card declined and through no fault of their own. Consumers are more likely to gravitate to those that make payment fast as well as secure.”
Hammond continues: “Ensure that your point of sale and online systems are SCA compliant. Speak to your acquirer about the possibility of a TRA exemption that will subject less of your transactions to an authentication challenge.
“This will often require you to complement your solution with fraud management tools. The latest in fraud management systems use machine learning, effectively helping you manage fraud on ‘auto-pilot’ – only dealing with the exceptions when needed.”
According to market research company Forrester, shopping cart abandonment costs brands $18bn in lost sales each year. In addition, a report from Today, which was conducted in June, also states that since the start of the pandemic, cart abandonment has risen significantly.
However, it is not all worries and woes – so far, it has been a quiet start to the year when it comes to payments regulation. Since SCA was officially implemented, merchants and customers appear to have continued to operate without any major hiccups. This marks a promising start to 2021 and a hopeful future for the payments sector.
SCA was first introduced in 2019 as part of the Europe Revised Directive on Payments Services (PSD2).
The original deadline was set for September 2019, however, after concern from industry players, the European Banking Authority (EBA) extended the deadline by 18 months to 31 December 2020.
This move by the EBA came after the UK’s financial regulator the FCA implemented the delay first. Following the announcement by the FCA, the Central Bank of Ireland also quickly announced a delay in rolling out SCA.
In April 2020, the FCA extended the deadline again for the UK to 14 September 2021. The regulator stated Covid-19 as the reason for making its decision.
However, the EBA stuck to its original extension, keeping a firm deadline of the 31 December 2020 for the rest of Europe.