While parts of the EU’s Revised Payment Services Directive (PSD2) have come into effect with little fanfare, the Strong Customer Authentication (SCA) requirement has been met with confusion, consternation and even panic. The rollout was originally set for an effective date of September 14, 2019, but the concerted pushback from the payments industry has regulators reconsidering.
The SCA establishes online payment authentication requirements and is designed to reduce fraud and enable better security. If an online purchase is above threshold limits and is not exempt, two methods of authentication are necessary. SCA requires authentication to include at least two of the following three elements:
- Something the customer knows (knowledge, such as a password)
- Something the customer has (possession, such as a card or phone)
- Something the customer is (inherence, such as biometrics)
Authentication is an extra step in the payments workflow that better determines if the person is who they say they are. For example, the customer might be sent a mobile text that prods a response; a successful response proves possession. If the response is in the form of a password, the confirmed knowledge element acts as the second authentication element and SCA criteria is met.
However, requiring a password after a prompt is not the smoothest customer experience; the password prompt might strike a user as a phishing attempt, and they have to remember and input the correct password. Using 3DS 2.0, an update of payments messaging protocol 3-D Secure, allows the use of a biometric for the second authentication element; a message is sent to a mobile and if the person logs in using a biometric, both possession and inherence elements meeting SCA requirements. Another option is to use a confirmation message in a banking app, which delivers possession and either a password or biometric login element.
Real-world impacts of the SCA
While the goals of better security and reduced fraud are laudable, members of the payments industry have voiced serious concerns. One trepidation is the customer experience; if the buying process is slowed down or complicated, the fear is that many customers will simply abandon the process. One study by 451 Research suggests that the European online economy will lose €57 billion due to implementation of the SCA.
The cardholder’s institution will determine if an exemption for the SCA is warranted, or if the SCA is sufficient. Many online retailers, especially smaller ones, fear that on September 15, the institutions will challenge transaction on a widespread basis, forcing the retailer to go back to the consumer for authentication. At that point, the consumer might no longer be in the purchase flow, and the transaction will not complete.
A study commissioned by The Emerging Payments Association indicates that, “unless a managed roadmap is agreed SCA is expected to see step-up authentication requests increase from 2 percent to 30-50 percent and transaction declines rise from 3 percent to 25-30 percent.”
Another major concern is the cost, time and complexity of implementing a SCA-compliant solution. While many companies have already made the transition to using SCA techniques, such as 3DS 2.0, the 451 Research study points out that 60 percent of companies with under 100 employees will either miss the September deadline or are unsure of when they will be ready. The merchant is not the only potential stumbling block; the entire payments chain needs to be ready including the gateway, acquirer, payment network and the issuer.
It’s also not simply about having a SCA technology in place; the setup of payment and exemption workflows is substantially different and requires careful consideration and knowledge of how different countries and card networks will manage the SCA.
As payment giant Stripe states, “the changes introduced by this new regulation are set to deeply affect internet commerce in Europe. Impacted businesses that don’t prepare for these new requirements could see their conversion rates significantly drop once SCA is enforced.”
Regulators’ response — SCA migration plan
The fact is, SCA requirements are not some new demand that was recently foisted upon the market. The European Banking Authority (EBA) issued an opinion in June in regards to the implementation of the SCA that pointed out that the industry has had sufficient time to prepare for the application date of the SCA. The definition of SCA was published in 2015, and an additional 18-month period for the industry to implement SCA was already granted.
Having said that, “the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required. The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs (national competent authorities) may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.”
Thus, it is up to the national regulators to postpone the SCA enforcement date. However, this extension is not unlimited; the Opinion stated that, “this supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner.”
The UK’s regulator has already granted an extension: “The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.”
The Central Bank of Ireland also recognizes the difficulties with meeting the SCA deadline and has also stated that they “have been engaging with the industry to develop a migration plan to implement SCA for ecommerce transactions, as soon as possible after this date.” They are calling for a harmonized approach, which some experts are suggesting as an 18-month extension to align with the UK, although no exact time frame was stated.
While other countries have not announced official opinions as of yet, there are various statements that indicate extensions will be forthcoming. For example, a note written by Raimund Röseler, chief executive director of (German banking supervisor) BaFin, stated, “It is feared that on September 14 these companies will not be able to use credit card payments. The European Banking Authority (EBA) has granted national supervisory authorities some flexibility … BaFin is prepared to use this to avoid detrimental experience for the payer.”
Note that, even if extensions are granted, they don’t negate the need to consider and implement an effective SCA system. Elsewhere across Europe, banks are informing their customers that they need to take specific actions, such as registering or updating their mobile phone number or downloading an updated mobile app. To ensure that payment flows are smooth and secure and don’t negatively impact the buying process, organizations need to set up their technology, rules and processes for a successful SCA migration plan as soon as possible.