James Devoy, EVP for Cyber Risk Services at Sysnetshared his thoughts with Payment Expert on what the latest Strong Customer Authentication rules mean for the industry, as well as how it will impact the growth of innovation.
Payment Expert: Firstly, can you tell us more about the SCA extension and what it means for the sector?
James Devoy: The rules on Strong Customer Authentication (SCA) have come from the EU’s second Payment Services Directive (PSD2) and are defined by the European Banking Authority (EBA) in the associated Regulatory Technical Standards (RTS). The requirement for SCA has been established to protect customers’ electronic transactions – including both online and in-store payments.
The main objective of SCA is to make payments safer and reduce fraud by more accurately authenticating the identity of the payee (the payment account holder) and confirming their consent before the transaction is authorised. This regulation has customer safety as its focus and any regulated firm that fails to implement the proper mechanisms to ensure this safety will be met with huge fines, while merchants not ready to support SCA could see significant increases in declined transactions.
The original deadline for PSD2’s SCA requirements to come into force was the 14th September 2019; however, as the deadline approached it became apparent that many regulated firms and the majority of merchants would not be ready to support SCA – particularly for online payments – by September.
In the August of 2019, the UK’s FCA acknowledged that more than 75% of merchants were not aware of the full requirements of SCA, with less than 5% of merchants actually using the technology that SCA required (3D Secure 2.x). In response to pressure from across the payment’s ecosystem, on 15th October 2019 the EBA announced an extension to the deadline: 31st December 2020. The EBA’s announcement gave European financial regulators, such as Germany’s BaFin or the UK’s FCA, the flexibility not to take enforcement action against regulated firms that did not yet comply.
This extension is good news for businesses across Europe as they have some much-needed breathing room to prepare and to get up to speed on how SCA requirements will impact them. Merchants have extra time to be ready to support SCA on their sales channels, for example by integrating 3D Secure 2 on their ecommerce and mobile platforms, and have more time to work with their Payment Service Providers and acquirers to make better use of the available SCA exemptions.
The delay has also helped particularly impacted sectors, such as the travel industry, the third sector and gambling, ensure SCA can be fulfilled across all affected payment channels/methods. The EBA was forced to recognise that the payments sector is more complex with many more players and ‘moving parts’ than the EBA understood when they set the original September deadline; the payments industry simply wasn’t ready for full enforcement of SCA. The risk of disruption – especially to online payment transactions – was too great.
Payment Expert: How complex is the introduction of strong customer authentication?
James Devoy: The complexity of introducing SCA for all of the impacted transaction types and payment channels defined as in scope was underestimated. At a high level the principles and requirements were understood, but to fulfil those principles and meet those requirements two areas needed to come together across that whole range of in-scope transactions. On the payments side, there needed to be coordination amongst multiple entities across industry sectors, work was needed to identify all of those in-scope activities and responsibilities, and the EBA needed to clarify interpretation of the RTS for ‘grey’ areas as they were identified.
Then on the technical and security side, expertise and effort was needed to define and develop solutions that met the requirements of the RTS while meeting business and consumer expectations for an SCA process that was as frictionless as possible. The original timescale allowed for the implementation of the RTS was ambitious. That timescale had a positive effect in that it applied pressure on the industry to drive the change – but at the time the RTS were published there were still many questions to be answered. There were also many scope implications to be teased out, responsibilities to be defined, technical solutions to be considered and many parties needed to work together.
On top of the payments industry itself needing to be ready and have SCA solutions in place, there is also the customer side of payments to consider. Customers understand the importance of security and data privacy, as research shows, but without an awareness of how and why SCA is changing their payment experience, customers will not understand that those changes are positive and for their benefit.
One of merchants’ big fears is customer abandonment at checkout; a potential sale lost at the last moment. Once customers have decided on their purchase, they want a fast and seamless experience when paying for their products. The potential for the extra authentication measures required by SCA to slow down this process is a significant concern. Communication from payment brands, card issuers and merchants is key to making sure customers are prepared for when SCA is required of them. Without this effort, SCA could increase customer abandonment rates and so another necessary step in the introduction process is educating consumers, another complexity.
Payment Expert: What impact has SCA had on payment merchants and how the payment sector is evolving?
James Devoy: SCA is forcing merchants to take consumer payment fraud more seriously and to work more closely with their acquirer and payment service providers to make sure their in-scope payment channels support SCA methods, correctly flag transactions and maximise use of the available SCA exemptions while also minimising the risk of declines. Fraud is a serious issue that affects many different sectors.
Merchants have a responsibility not only to protect themselves from fraud but also to protect their customers; one of the key aims of PSD2 is addressing the growth of online payment fraud as the European Commission did not feel enough was being done to protect consumers and their financial data. By introducing strict security requirements for the initiation and processing of electronic payments, consumers and merchant will be better protected from fraud.
While SCA enforcement has been delayed, the postponement of the enforcement deadline does not mean that merchants should delay their support for SCA. This means for online and mobile payments, merchants need to take action now to implement support for 3D Secure 2 and, if they offer direct from account payment methods, support integration with the ASPSP’s SCA method.
Merchants can also learn from industry developments and should watch out for the availability of trusted beneficiary whitelisting to consumers. For example, acquirers may now be able to register their merchants on Visa’s Trusted Listing programme which may help them get on their customers’ whitelists. Issuer/ASPSP SCA implementations will start to offer their account holders the option to whitelist merchants as a trusted beneficiary. Once whitelisted, subsequent payments to the merchant are exempt from SCA; although Issuer/ASPSP still has the right to require SCA.
Merchants are also needing to update their in-store payment solutions in addition to the online methods. Merchants accepting contactless payments on their terminals should already have confirmed with their acquirer or POS provider whether terminal updates are needed to ensure that their contactless terminals can react to the new response codes from issuers requesting to ‘step-up’ to PIN authentication when the contactless transaction counter limits are reached.
Payment Expert: What impact will SCA regulations have on innovation within the online payments sector?
James Devoy: SCA will place a restriction on how streamlined merchants can make their online checkout process but this apparent restriction will ultimately lead to innovation. Regulations are always being forced to change as technology (and the means to exploit that technology for criminal intent) evolves, and sometimes the restrictions those regulations impose can themselves lead to creative technological solutions.
For example, since the EBA’s June 2019 opinion confirmed that the static factors on a payment card cannot be considered as a knowledge element for SCA’s two-factor authentication requirements, new 3D Secure 2.2 based enhanced authentication solutions have come to market. Innovative solutions that offer a frictionless, streamlined consumer experience by leveraging consumer behavioural data and cryptographic methods of device identification to deliver SCA.
Payment Expert: How important was the delayed implementation of the new regulation?
James Devoy: Ultimately, it was very important. The payments industry simply was not ready for SCA to be enforced and the damage it could have potentially caused for businesses as a result of the increase in declined payment transactions would have been damaging. The issue lay with the fine details of how and when SCA applied not being well understood, in a lack of merchant engagement to make sure they were ready to support SCA and an overall underestimation of the work required for all affected parties to meet the RTS in the timeframe provided.
This extension has already provided the industry the time needed to answer many of the questions around SCA and for the rest of 2020 efforts can be focused on getting the correct technology integrated and exploring methods of explaining the benefits of SCA to customers.