By Kevin McAdam, VP Card Services & Global Strategy at Global Processing Services
“As many as 60% of merchants are not ready for SCA”
We are fast approaching September, which was the month that Strong Customer Authentication (SCA) was going to be implemented, but how many organisations really know what the regulation is or have even planned for the outcome? Research published by PYMNTS.com recently implied as many as 60% of merchants are not ready, and a report by the Emerging Payment Association (EPA) stated that although 75% of Issuers would be ready for the compliance, they would not be ready to operate effectively.
Against this background of uncertainty and change, the Financial Conduct Authority (FCA) recently announced that SCA would be delayed beyond the 14th September within the UK. There is no firm date scheduled for when a new target or phased approach will be announced, although the money is on at least an 18-month delay.
Whilst the FCA has announced the delay, this means they will not take any enforcement action against a business who has not met the Regulatory Technical Standards (RTS) – organisations will still need to demonstrate they are taking necessary steps in preparing to comply to SCA. To add to the mix, the regulatory authority in Denmark will be introducing SCA as planned, but no other jurisdiction at this stage has followed the Denmark lead.
This disjointed timeline will add complexity to an already complex issue as organisations that have pan-European business operations will need to ensure they are meeting the requirements of the residents for each of the jurisdictions they operate.
Whilst the European Banking Authority (EBA) has offered issuers time to prepare, it has also proposed that each jurisdiction should set out their own SCA roadmap – which could have wider implications if different proposed dates to go live and methods are being introduced across Europe.
So what has created this tale of woe when so much other regulation has met the required date? Why are we at this juncture and how have we got to the stage where so little understanding, or mis-understanding of SCA is rife across the industry? Merchants are a key part of the process as they need to balance two-factor authentication (2FA) whilst still trying to maintain a frictionless process for customers.
But why is Strong Customer Authentication so important?
Fundamentally, why is this so important – SCA is required because E-Commerce card payment fraud costs the UK in the region of £310m annually (EPA Research) and there is a determination and need by the industry to work together through introducing enhanced security controls – and one of those was the adoption of SCA.
The RTS on SCA and the common secure communication (CSC) underpin the new security requirements under PSD2 and regulate access for newly formed Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP) to customer account data held by account servicing payment service providers. Under PSD2, SCA is an authentication process based on two or more security measures, which are classed as knowledge (something only the users knows i.e. password or PIN), possession (something only the user possesses, i.e. card evidenced by a card reader or QR Code) and inherence (something personal to the user, i.e. biometrics).
As much as the adoption of Chip & PIN was to fight fraud, SCA is seen as driving further controls as the methods adopted to undertake fraud are becoming ever more sophisticated. SCA is so explicitly linked to the development of Open Banking, and therefore the success of this piece of regulation, being a key part of the Open Banking jigsaw not to mention the longer-term implications for the very fabric that is so important for PSD2 – greater interoperability, open APIs, customer access and improvements.
Unfortunately, it is being alleged in some quarters that Merchants have not been fully informed by their Card Acquirers as to what is required to be compliant and Retailers have been even less informed – so the expectation is that authentication requests will increase and transaction declines will rise, not by a small margin but at quantum leap levels of up to one in every four transactions from one in every hundred, and that the whole customer experience will be diminished.
In terms of the steps taken, Issuers are focusing on One Time Passwords (OTP) with delivery via SMS to a mobile phone, authentication within a mobile banking app through the use of 3DS technology and biometrics. Whilst there are some reservations how effective OTP and 3DS will work, Biometrics is seen as the way forward, because it has less UX friction, but this technology is still in development due to costs and immaturity of the technology.
It has also been reported there are delays to the availability of 3DS v2.1 authentication to retailers because many UK issuers use the same 3DS ACS provider. However, it is expected that most retailers will be ready by the end of 2019. 3DS v.2.1 is seen as a better option, leading to 3DS v2.2+ because the technology will satisfy SCA legal requirements – OTP delivered by SMS in-app authentication and biometrics.
“Change is coming…but the world is watching”
Amongst this change and confusion it is clear the entire payment ecosystem is not prepared for this material change, but the world is watching. When you talk with businesses in all four corners of the world, what the UK is doing in respect to Open Banking is being observed and copied by every other country. Some have or will soon issue their own Open Banking APIs, but all are taking their lead from the UK, so sorting out SCA is critical to the continued drive of combating fraud, but most importantly for offering customers greater choice and access. If it is to be delayed by up to 18 months, we don’t have second chances to maintain the trust of the public, so the industry must be ready for SCA and all the benefits this will bring to Open Banking.
*In preparing this blog. I have reviewed documents by the European Banking Authority, Emerging Payment Association and varies other business articles, as well as experience and thoughts from the part Global Processing Services play in the payment ecosystem.