Assessing the Impact of PSD2’s Strong Customer Authentication
In addition to increasing competition within the payments industry, PSD2 also aims to enhance the protection of end consumers. In order to achieve this, PSD2 incorporates Strong Customer Authentication (SCA): which is intended to ensure that authentication keeps up with the fast-paced technological changes in the payments industry.
By mandating that at least two independent elements are presented during a transaction’s authentication – categorised as either knowledge, inherence or possession – SCA aims to reduce fraud rates for merchants and guarantee more security for consumers.
The relevant Regulatory Technical Standards (RTS) were published in March 2018 and are relatively complex for merchants and industry players to fully comply with by the deadline of 14th September 2019. SCA will be enforced from day one, in more of a ‘flipping a switch’ action than a gradual introduction, meaning that solutions must be finalised and tested before this deadline in order to be operational in time. However, merchants are also having to navigate the guidance being issued by national competent authorities: because regulatory bodies are interpreting numerous aspects of SCA
differently, merchants are now facing a number of risks and challenges that could have been avoided with more explicit definitions.
The SCA mandate has come later than open banking, and is also receiving less publicity – despite being vital to the ultimate success of PSD2.
The potential issues with SCA are both complex and numerous and, with the September 2019 RTS deadline fast approaching, regulators must begin to address these problems. It is critical that merchants work together to apply pressure and ensure a positive outcome. Previously we said ‘the clock is ticking’: now, the alarm bells are ringing.Robbie MacDiarmid
Exemptions
Due to the fact that 100% SCA enforcement has the potential to ruin certain business models, a number of exemptions have been defined by the EBA. These exemptions are applied for by the acquiring bank, and the issuing bank then has the opportunity to accept the exemption and allow a frictionless transaction, or reject the exemption and force strong authentication.
Alternatively, an issuing bank can exempt a transaction themselves if they so wish.
The main issues facing merchants with regard to SCA exemptions include:
- Contactless
- Whitelisting
- Merchant Initiated Transactions (MIT)
- Low value transactions
- Corporate Payments
- Transaction Risk Analysis (TRA)
Ultimately, while exemptions do have the potential to minimise the negative impact of SCA for some merchants, the benefits can only come to fruition if issuing banks have the technical ability to actually support the exemptions. It has been suggested that up to 30% of issuers will not be able to support exemptions by the September deadline, casting real doubt on whether merchants will be able to rely on the mechanism to dampen SCA’s hit to conversion rates.