What is Strong Customer Authentication (SCA)?
As part of the new payments regulation Payment Services Directive II (PSD2), the European Commission tasked the European Banking Authority (EBA) with preparing standards on security aspects of payment services. The standards relate to SCA: a new requirement for merchants and their payment processors that ensures that the person initiating a payment is who they say they are. SCA requires that transactions are authenticated via two of the three distinct methods defined below:
- Something the consumer is e.g. fingerprint, iris scanner, facial/vocal recognition.
- Something the consumer knows e.g. a password, login details, answer to chosen security question.
- Something the consumer owns e.g. a card, mobile, token generating device.
A payment service provider – either the acquirer or issuer – must apply SCA when the consumer initiates an electronic payment transaction, although they can apply for exemptions to the rule on a transaction-by-transaction basis for payments identified as low-risk.
Why Is It Happening?
The new rules have been mandated in order to reduce online fraud rates across Europe, which had been identified as an industry issue by the European Commission. SCA should make it more difficult for fraudsters to operate by requiring two-factor authentication, and the primary tool chosen by the industry to facilitate this is EMVCo’s 3D-Secure solution.
When Is It Happening?
Good question. The regulation was originally intended to come in to force on 14th September 2019 but, due to successful lobbying from the industry, has been delayed until at least 31st December 2020 across Europe – with a handful of countries giving the industry more time. A delay was needed as the payments industry had not created workable solutions in time for the original deadline, meaning that a significant number of payments would have to be automatically declined for not being compliant.
What’s Happening Right Now?
CMSPI estimates that the number of declines may total €68 billion in lost revenue for merchants in the year following implementation of SCA rules. That's over €300 per household.
The industry is working hard to produce solutions that work in the majority of use cases, but inevitably challenges are arising. Wider questions around authentication, digital identity, and the data requirements of card transactions are being discussed and refined – with serious repercussions for the industry as a whole.
The UK was one of the first Member States to announce a delay to the SCA deadline, and as such has been working on a roll-out plan for a significant amount of time. The ‘SCA Programme’ is therefore an excellent case study for other European merchants and regulators to look to for guidance. The UK’s Financial Conduct Authority has tasked UK Finance with ensuring the success of the SCA Programme, with a working group of almost 100 industry representatives from merchants, issuers, acquirers and other parties including CMSPI.
Did you know?
It is estimated that 1-2% of online payments made today require cardholder authentication, which could increase to 25% with SCA requirements.
The number of transactions sent through 3D-Secure could increase from 19% to 57% of online card payments.
CMSPI estimates that the number of declines may total €68 billion in lost revenue for merchants in the year following implementation of SCA rules. That’s over €300 per household.
What Do I Need To Do About It?
Merchants in Europe should watch the UK closely, in order to avoid or prepare for the pitfalls already encountered by the UK’s working groups. Solutions are likely to be aligned across Europe, meaning that the UK experience can provide merchants with vital insight into likely outcomes in their own markets.
UK-based merchants should make sure they are receiving the latest updates and output in order to ensure optimal implementation of their own SCA solutions, and avoid working towards recommendations in outdated guidance.
Merchants from farther afield will benefit in seeing how developments in authentication play out in Europe first – before SCA-equivalents inevitably make their way across the globe.