Blog: Securing the future of payments through SCA

Posted: 24th June 2019

From the 14th September 2019, the new Regulatory Technical Standards (RTS) – as detailed in the Revised Payment Service Directive (PSD2) – will come into effect.

But even before that date, payments providers and merchants need to be ready for a raft of impactful changes.

The measures outlined in the RTS are designed to fulfil two of the key objectives of the PSD2: ensuring consumer protection (reducing fraud) and levelling the playing field in a rapidly changing market.

To achieve this, the governing EU body expects firms to increase the level of security of electronic payments. From implementation date on, all payments providers will need to make Strong Customer Authentication (SCA) the basis for accessing payments accounts and making payments electronically.

In this near future, all electronic transactions made within the EEA (with certain exemptions) will have to be authenticated through a two-factor process. While many firms already require some form of two-factor authentication (the most common being the familiar “chip and PIN” method), this is not yet the EEA-wide minimum standard.

The future of payments promises to be far more secure and more resistant to the epidemic of fraud currently seen, but there will, no doubt, be side-effects to the seismic shift.

What is Strong Customer Authentication?

SCA is defined as authentication using at least two factors known to the payer. These factors include:

Something only you know: A password, PIN or a knowledge-based question
Something only you have: A registered phone, a card reader or key generator, etc.
Something only you are: A biometric proof, such as a fingerprint, face or voice recognition, etc.

These factors must all be independent of one another so that if one is compromised, the others remain secure.

Most people will already be familiar with the concept of two-factor authentication. Those of us who have been in the workforce for the past decades might be familiar with code generator keyrings such as SecurID tokens, and those of us with certain high-street bank accounts will surely have that small, one-time-code-generating gizmo for logging into online banking buried somewhere in their desk drawer.

Other, more everyday examples of two-factor authentication can be seen at the checkout queue. If you pay for your groceries through a card using the “chip and PIN” method, you will be using two factors to authenticate the payment, the first factor being the item you own (the physical card) and the other being something you know (the PIN).

But, as you may have realised, contactless payments don’t require a PIN confirmation, meaning that they aren’t currently two-factor authenticated. As this type of payment becomes more widespread, security measures will need to evolve.

The new SCA rules will set a limit on the number of contactless transactions that can be made before the PIN must be entered. So, rather than this limit being completely up to the issuer’s risk appetite, it will be strictly defined and triggered more frequently.

While the deadline for SCA implementation is still a few months away, many issuers will be implementing the requirements ahead of time. Don’t be surprised if you are challenged more often for multiple small value purchases.

There are, of course, exemptions to the SCA two-factor requirement, including payments made on automatic machines that don’t have a physical PIN pad (London Underground ticket machines being a prime, and heavily utilised, example), remote transactions under the value of €30 (except if there are more than five consecutive payments, or these exceed €100, in total), payer-whitelisted beneficiaries, or low-risk transactions. Recurring direct debits are, technically, merchant-initiated, meaning that no SCA will be required.

The retail experience as we know it will change

SCA requirements will come as a massive shock to the retail payments experience, potentially resulting in drop-offs in the volume of shopping basket “completions” and a rise in declined payments. However, what’s really worrying is the fact that the requirements aren’t yet on the horizon of the average payer.

Ensuring that customers across the country – who have varying levels of tech and financial expertise – are educated on the requirements of SCA is an absolute priority for any firm dealing with payments, whether this be in the physical retail space or, perhaps more importantly, online.

From our experience, customers are generally well aware of the security arrangements that protect them when it comes to accessing online payments accounts, but very few are aware of the day-to-day impacts of the RTS on their shopping habits. An increase in declined transactions will cause increased friction in the user experience, and potentially cause customers to turn away from services that don’t appropriately signpost new security obligations.

Where the new requirements will bite hardest is the e-commerce sector. Due for a shake-up around the implementation date, e-commerce merchants will need to implement new technologies, or adjust old ones, to allow for two-factor authentication.

3D Secure – you may have seen this in action in the form of a small pop-up with your bank’s branding appearing during an online checkout – is the current security standard in this field. However, background risk checks performed by the card issuer are no longer going to be enough to satisfy regulatory requirements. Firms involved will be unable to avoid asking payers for further information, anything from SMS-based confirmation to fingerprint scanning (made possible through a compatible device such as a smartphone).

These changes will need to be implemented by the entire ecosystem. While large financial institutions may have the budget set aside for a change project such as this (and be used to regulatory changes by now), merchants, whether online or ‘brick-and-mortar’, will have a much harder time embedding the procedures and technologies needed to facilitate SCA.

This could leave many businesses ‘out-of-pocket’, especially smaller ones or those that may lack local help due to their shopping cart provider or support network being outside of the EU. The costs associated with people, technology and time lost through deviating from regular activities will all surely add up.

This could be exacerbated in the event that non-preparedness leads to a decline in transactions or, worse yet, regulatory intervention. Firms will need to prove that they are supplying their customers with the appropriate information, at the appropriate time, if they are to stay on the right side of their regulators.

It doesn’t end here …

SCA is a welcome step forward in the fight against fraud and financial crime, but we, as an industry, are only yet scratching the surface of full implementation.

In future articles, we will discuss the impacts of the new RTS on vulnerable customers and explore how merchants, issuers and acquirers can be fully prepared. The potential for a phased approach to implementation and enforcement by the FCA, coupled with ongoing lobbying by card schemes for further exemptions, also complicates matters, so stay tuned for more!