A requirement of the EU Revised Directive on Payment Services (PSD2), strong customer authentication (SCA) was set to boost security, particularly online. However, its implementation may be pushed back past its original deadline. What is holding firms up; themselves or the regulation? Patrick Brusnahan writes

The main aspect of SCA requirements is that multi-factor authentication is needed for electronic payments. While cards with Chip-and-PIN are commonly regarded to already have SCA in the EU, online payments cause a problem.

However, with more factors comes more time spent and many retailers and merchants are not happy to give customers another chance to abandon ship.

Keith McGill, head of ID and fraud at Equifax, believes that this change is necessary, but firms need to be careful to not cause damage to their businesses.

He says: “With fraud increasing, and younger generations who love to shop online particularly vulnerable, it’s vital businesses put stronger payment processes in place. The challenge is to strike the right balance between customer convenience and security.

“The online economy is booming because customers find the experience friendly and frictionless. If the new SCA requirements, designed to reduce fraud, make shopping online inconvenient, the potential damage to retailers in lost digital sales could be significant.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“However, the new checks are broad in scope and allow businesses to be flexible in creating the right customer experience. Multi-factor authentication for example, based on factors only the user would have or know, is already commonly used by the banks with little friction for customers. While adding measures such as facial recognition or one time passcodes introduces an additional hoop for a shopper to jump through, the disruption remains minimal and most people appreciate the efforts being taken by retailers to protect them.

“Retailers must anticipate the many different types of consumer interactions and build processes accordingly. Smartphones and other handheld devices are rich in features such as cameras, fingerprint readers and even e-chip readers which allow for slick interactions, but other devices may not have the same level of functionality. Checks must be put in place to cater for all those scenarios and give consumers choice in how they authenticate themselves.

“With the advent of Open Banking, retailers also have the option to leverage the existing relationship between a customer and their bank by carrying out authentication using their online banking credentials.

“Retailers should think about the steps taken by the customer throughout the payment journey and where and when it will be necessary to introduce SCA. The need for extra checks will shift depending on the cost of transactions, and retailers selling higher value goods and services won’t want to be perceived as having more inconvenient processes than those that fall below the SCA value thresholds. The success of contactless payments clearly illustrates that consumers will quickly adapt to new payment processes, a good example of a workable model that successfully tackles security concerns without sacrificing customer experience.”

Arnaud Crouzet, VP of security and consulting at FIME, takes a similar view. He adds: “Delivering SCA remains a priority. However, debate was rife about how to add new security measures without simply creating more points of friction for consumers. Friction that is, in turn, harming the sales of retailers.

“Enter: EMV^® 3-D Secure (3DS), a messaging protocol used to identify and verify cardholders for CNP transactions. The specification improves communication between the issuing bank, the acquirer and the merchant. With more work ‘in the background’, it’s able to streamline the user experience, improve approval rates and reduce fraud.

“A compelling authentication solution fit for the digital, omnichannel age, right? But, as with any major system upgrade, implementation does not come without its challenges. The support from a trusted implementation partner can be key to minimise unexpected delays and costs on the path to service launch.”

Jackie Barwell, director fraud product management at ACI Worldwide, thinks the rollout of SCA will help reduce the amount of fraud conducted online.

“Fraudulent activity is costing European countries a fortune (the UK lost more than £1.2bn in 2018 alone),” she comments.

“SCA launches across Europe on September 14 and from then on consumers making a purchase over €30 will be required to provide multiple forms of authentication pre-checkout. These will include; “something they have”, for example the device being used, “something they are” such as the user’s biometric identity and “something they know”, a pin number/password/security code. Card schemes such as Visa and Mastercard have already rolled out their processes (in this case 3D Secure 2.0) to align with this legislation and ensure merchants are ready for the September deadline.

“However, as with any new regulation there is likely to be teething problems. Fraudsters looking to bypass new security systems eventually always find the means to do so. Whether it’s old-fashioned social engineering techniques to dupe contact centre agents or individuals into giving up valuable information, or utilising bots; hundreds, if not thousands of computers controlled by a single command terminal, to send phishing emails, or to embed malware looking to find key data such as passwords and personal information. SCA could also lead to a rise in fraudsters looking to steal or clone devices, giving them access to one of the key authentication channels.

“SCA is a great step towards protecting online transactions, but will not result in a cure for all fraud overnight. To really batten down the hatches merchants must therefore have a range of sophisticated solutions in place. By having a range of such preventative measures in place, merchants and consumers will be a lot more secure.”

Delays

SCA was set to be implemented on September 14 2019, but this is looking less and less likely. While the legal deadline will remain, regulatory bodies are not sure that firms will meet it.

In a statement, the UK’s Financial Conduct Authority (FCA) states: “The FCA recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this.”

The European Banking Authority (EBA) has already said that “limited additional time” can be provided to merchants.

Ralf Ohlhausen, executive advisor at PPRO Group, says: “The delay to the roll-out of the EU-ordered Strong Customer Authentication (SCA) was certainly the right decision to avoid the huge negative impact it would have had on card sales.

“Similar flexibility is also needed to smoothen the introduction of SCA around Open Banking when the EU PSD2 framework becomes effective on September 14th. In many, if not, most cases around Europe, the bank’s dedicated interfaces for Third Party Providers will not be fully ready and they will therefore have to fall back to normal user interfaces.

“However automated services, like low-balance alerts or bookkeeping software, could then not run in the background anymore because users would have to provide second factor authentication all the time. So it is not just card payments, but also many other financial services needing more time before the FCA should enforce SCA in all cases.”

In addition, Tony Hammond, SVP Global Product Delivery at FreedomPay, believes the SCA delays have come naturally due to the complexity of the regulation.

He explains: “Many within the industry have overlooked the fact that two factor authentication will also apply with greater frequency to contactless transactions conducted at point of sale terminals where 1 every 5 transactions or cumulative transactions to the value of £150 will require an additional chip or signature verification. This is likely to have a substantial impact on what has otherwise been a frictionless method of payment and one that has seen the highest growth over any other electronic tender in recent years.

“Many companies have been working to interpret the full impact of PSD2 and how SCA will be applied to a multitude of use cases; some of which had clearly not been anticipated by the European legislature. We have been working extensively with our customers, prospects and partners to inform them of the consequences of SCA and to ensure that all their payment systems are at a full state of readiness across all their sales channels.

“It is my view that by allowing every country’s ‘competent authority’ to negotiate individual national deadlines for SCA compliance only adds unnecessary complexity to what was an already challenging situation. For SCA to work effectively and for merchants to avoid the anticipated increase in declined transactions, all parties in the payment value chain need to have their systems ready simultaneously. There are thousands of companies who need to be certain that their systems inter-operate reliably with others within the eco-system and where the majority are mutually dependent on the readiness of others involved in the payment process.

“The original September deadline provided absolute clarity as to the ‘effective date’ by which SCA should be implemented by all parties, it now remains unclear, particularly for International merchants, as to when acquirers, issuers and authenticators will be at a state of readiness in each country across the European Union.”

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up