Strong Customer Authentication: Actions To Take & Key Deadlines07th January 2020
What is Strong Customer Authentication (SCA)?
As part of the new payments regulation Payment Services Directive II (PSD2), the European Commission tasked the European Banking Authority (EBA) with preparing standards on security aspects of payment services. The standards relate to SCA: a new requirement for merchants and their payment processors that ensures that the person initiating a payment is who they say they are. SCA requires that transactions are authenticated via two of the three distinct methods defined below:
A payment service provider – either the acquirer or issuer – must apply SCA when the consumer initiates an electronic payment transaction, although they can apply for exemptions to the rule on a transaction-by-transaction basis for payments identified as low-risk.
Why Is It Happening?
The new rules have been mandated in order to reduce online fraud rates across Europe, which had been identified as an industry issue by the European Commission. SCA should make it more difficult for fraudsters to operate by requiring two-factor authentication, and the primary tool chosen by the industry to facilitate this is EMVCo’s 3D-Secure solution.
When Is It Happening?
Good question. The regulation was originally intended to come in to force on 14th September 2019 but, due to successful lobbying from the industry, has been delayed until at least 31st December 2020 across Europe – with a handful of countries giving the industry more time. A delay was needed as the payments industry had not created workable solutions in time for the original deadline, meaning that a significant number of payments would have to be automatically declined for not being compliant.
What’s Happening Right Now?
The industry is working hard to produce solutions that work in the majority of use cases, but inevitably challenges are arising. Wider questions around authentication, digital identity, and the data requirements of card transactions are being discussed and refined – with serious repercussions for the industry as a whole.
The UK was one of the first Member States to announce a delay to the SCA deadline, and as such has been working on a roll-out plan for a significant amount of time. The ‘SCA Programme’ is therefore an excellent case study for other European merchants and regulators to look to for guidance. The UK’s Financial Conduct Authority has tasked UK Finance with ensuring the success of the SCA Programme, with a working group of almost 100 industry representatives from merchants, issuers, acquirers and other parties including CMSPI.
Find out more about the UK Finance Group
What Do I Need To Do About It?
Merchants in Europe should watch the UK closely, in order to avoid or prepare for the pitfalls already encountered by the UK’s working groups. Solutions are likely to be aligned across Europe, meaning that the UK experience can provide merchants with vital insight into likely outcomes in their own markets.
UK-based merchants should make sure they are receiving the latest updates and output in order to ensure optimal implementation of their own SCA solutions, and avoid working towards recommendations in outdated guidance.
Merchants from farther afield will benefit in seeing how developments in authentication play out in Europe first – before SCA-equivalents inevitably make their way across the globe.
SCA – Merchant Forum
In order to cut through the noise and find out what is really happening with SCA – subscribe to CMSPI’s SCA Merchant Forum for regulatory updates, insightful discussions, Q&A, and expert advice on what merchants should be doing to ensure optimal solutions.
Learn more about SCA from the UK Finance Group here.