Security
Security

James Devoy, EVP for cyber risk services at Sysnet writes for Payment Expert on the importance of balancing security and efficiency as the regulatory climate evolves.

Next year, with the expiry of the European Banking Authority’s (EBA) migration deadline, the Payment Services Directive’s (PSD2) Strong Customer Authentication (SCA) requirements will come fully into play. Between now and the 31st December 2020 deadline, the industry is doing all it can to fulfil the SCA requirements laid out by the EBA. Many C-Suite executives have concerns about the negative impact the lack of payments industry readiness could have, not only on their business but also about the effects SCA may have on their customers.  

One of the main concerns with SCA is around changes to the payment process, which is justifiable, as the main objective of SCA is to enhance security and reduce fraud through implementation of more robust means of authenticating the identity of the consumer and confirming their consent for the payment transaction. With these new enhancements, consumers may have to take additional steps to complete their purchase. These steps may complicate or slow down the checkout process and, at worst, could cause a customer to abandon the transaction altogether.  

As such, there is a need for SCA solutions to balance increased consumer security and fraud protection against the risk of abandonment by consumers facing multiple authentication steps.  

‘Marketing’ the benefits of SCA to end-users  

According to the EBA, the potential impact of SCA on the consumer checkout experience can be addressed by raising consumer awareness of the upcoming changes. A lot of the potential impact that SCA might have on consumers, that could lead to them abandoning their transactions, can be avoided if both card issuers and account servicing payments service providers (ASPSPs, the entities responsible for enforcing SCA on their card/account holders) as well as the merchant businesses can effectively ‘market’ the changes to them.  

Consumers understand the importance of security with research from last year revealing that 65% of consumers view data privacy as the most important factor when considering a company’s trustworthiness. So, that’s why it’s important that companies are fully set-up to be able to effectively inform their customers about the benefits of SCA, namely security, while managing their expectations and perceptions of the upcoming changes. If they do so successfully, then most will be more understanding of the slightly longer checkout time. 

The proof is in the pudding as well. Merchant businesses have reported positive consumer responses following deployment of dual-tone multi frequency (DTMF) based telephone payment solutions designed to support the merchant’s PCI DSS compliance. These businesses were initially nervous about the impact the DTMF-based telephone payments would have on their customers’ purchase experience.

They recognized that to ensure consumer acceptance it was vital that their customers were made aware of the positives these changes bring before they experienced the new telephone payments process and anything they might consider a negative. For example, some callers may complain about the difficulty of inputting payment card details on their telephone keypad; however, this is a safer alternative to having to speak those details over the phone in a place where they may be overheard. For SCA, as for DTMF-based telephone payment solutions, businesses need to counter any negative consumer perceptions by emphasizing the benefits and advantages of the new process.  

It is important that businesses support SCA to avoid declined transactions due to lack of consumer authentication. Businesses need to understand the available SCA methods and the available integration and support options, as well as working with their acquirers and payment service providers/payment gateways to maximise their use of SCA exemptions and ability to support a frictionless checkout experience.  

EMV 3D Secure, a messaging protocol that enables cardholder authentication with the card issuer for remote electronic transactions, is expected to be the industry standard method for SCA. EMV 3D Secure relies on risk-based authentication by the issuer, based on data captured during checkout and transaction history data. It is capable of frictionless authentication, helping to make the checkout process quicker; however this may not be used in every situation.  

Merchant businesses need to ensure their online payment channels support both 3D Secure 1 and the latest version of EMV 3D Secure. By doing so, SCA can be performed using the highest version of 3D Secure supported by the card issuer, helping to minimize the risk of transaction declines and offering customers the simplest and most streamlined checkout experience available. The latest versions of EMV 3D Secure also support other features that businesses should seek to maximize their use of as they help to minimize the number of times cardholder interaction is required for SCA. Features include SCA exemption flagging, helping merchants to leverage all of the exemptions permitted by the EBA, and non-payment SCA which can be used, for example, when establishing an agreement with the cardholder for future payments.  

Non-payment SCA enables another way to minimise the consumer impact of SCA that can come from changing the consumer purchasing model. Businesses could seek to make greater use of Merchant Initiated Transactions (MIT) – which are out of scope for SCA. For example, by offering purchases on a subscription basis, offering services based on the consumer’s ‘top-up’ of their account balance, offering payment by direct debit, etc. Once an agreement for future transactions (using SCA) is established with the customer, all subsequent transactions under that agreement are triggered by the merchant and flagged as MIT, with no need for SCA to be applied. As there is no consumer interaction after the agreement is established and initial SCA performed, there is no risk of abandonment of these MIT transactions, the purchase commitment has already been made. 

EMV 3D Secure is not the only means of implementing SCA, for customers with smartphones, there are biometric and mobile app-based solutions that rely on customers’ use of mobile banking. These offer a streamlined consumer experience but are not fully accessible to all potential customers. 

Potential roadblocks to the checkout 

A slower payment process is one thing that can be managed, the inability to complete the authentication process at all is quite another issue. Some of the authentication methods rely on SMS One-Time Passwords (OTP) as one of the authentication factors, which cannot be received if the consumer has no mobile signal. Another method requires the use of a home banking card reader, which a consumer may not have with them outside of the home.  

Nor is the EMV 3D Secure messaging protocol on its own all that is required for SCA. The EBA’s June 2019 opinion confirmed that the SCA solution most widely deployed by issuers, using the static card data, 3D Secure and a One-Time Password (OTP), does not meet SCA two factor authentication requirements.  

The EBA’s announcement of the extended timeline for SCA migration came in recognition of the additional time needed to ensure SCA solutions implemented worked for all consumers and can rely on two different, and valid, authentication factors. The payments industry needs to address these issues and it is why an extension to the SCA deadline was so important.  

Merchant businesses need to stay on top of developments, engaging with their acquirer and their payment service provider, reviewing guidance released by the card brands (such as Visa’s SCA guides) and monitoring announcements from the EBA, so that they can take steps to minimize the potential for negative impacts on their business and their customers.  

Keeping the momentum going 

When the EBA announced the delay to SCA enforcement there were concerns that momentum could be lost, realisation of the benefits of the PSD2 SCA diluted and delayed. However, when the risks are considered it is clear that the EBA made the right decision. A solution that does not fulfil regulatory requirements and yet is so cumbersome that consumers are unable or unwilling to complete their transactions needs to be fixed. This delay offers the payments industry the time to develop solutions to these problems that work for all business sectors, achieve the right balance of security and customer convenience and that recognise, as the EBA has stated ‘it is paramount for customers to be able to continue making payments’. 

Ultimately, SCA solutions that are developed and deployed between now and the expiry of the EBA’s migration deadline will benefit both merchant businesses and consumers – more choices, greater accessibility and improved ease of use all while offering the same level of security and protection from fraud.