Strong Customer Authentication (SCA) is a key part of the European PSD2 standard and is hotly anticipated to be one of the most important legislations affecting the financial and retail sectors.
Although scheduled for 14 September 2019, its implementation in the UK has been delayed by 18 months to give businesses more time to meet the new requirements. According to the UK’s Financial Conduct Authority (FCA), UK businesses now have until March 2021 to comply.
But reactions to the hold-ups have been mixed. With fraud rates on the rise, some players are frustrated at the delays to consumer security. Others are expressing relief that they now have more time to iron out potential technical issues before they go live.
Are businesses ready for SCA?
Under SCA, online transactions where both the business’s payment provider and the cardholder’s bank are located within the European Economic Area (EEA), at least two of the three following methods are required:
- Knowledge: something only the user knows, such as a password.
- Possession: something only the user possesses, such as a token or mobile phone.
- Inherence: something the user is, such as a biometric element (e.g. fingerprint recognition).
It mainly impacts card payments made over the internet as customer present EMV transactions are already 2-factor authenticated – with a chipped card (possession) and with a PIN (knowledge). There are also some SCA exemptions e.g. for transactions below €30, reoccurring subscriptions, whitelisting and corporate payments.
Although they’ve had nearly two years to prepare since the initial announcement, UK retailers have been kept busy dealing with other regulatory standards including GDPR, PCI and PSD2 – not to mention the distractions caused by uncertainty around Brexit. Without the SCA extension, many businesses would simply not have enough resource or investment available for the systems and processes required to facilitate multifactor authentication.
How does the market feel about SCA progress?
Given the rising incidence of fraud, many in the industry want to see enhanced, secure digital experiences fast-tracked. At the same time, some are feeling overwhelmed at the complexity and its impact on the customer experience.
To help accelerate SCA and reduce potential friction, lots of retailers are looking at mobile and biometric based authentication as a possible route to compliance. UK retailers will be able to use the delay as ‘breathing space’ to explore new authentication approaches more fully, to implement any technical fixes and minimize disruption – particularly in online transactions.
However, it’s vital that they are ready for the next deadline to fulfil the security promise of PSD2 and to prevent consumers from being disappointed.
Will SCA add drag to frictionless payments?
There is a fear that too much complexity at the checkout will drive sales conversion down. Merchants are working with the industry and their providers to minimize SCA’s impact on the UX. There may be some extra security steps for the consumers, but most will welcome this if it means they are better protected. It will also make them more confident particularly when making higher ticket spends online.
We believe that the focus in the next few months will be facilitating secure experience while ensuring the customer has a frictionless user journey, creating faster, better and more ‘seamless’ SCA technology. Having digital core processes and gateways is crucial to helping merchants adapt effectively and accelerate new innovations.
There is always the danger that, in super-fast one-click digital economies, SCA will turn some consumers off. The secret to overcoming this could be using the consumers own technology and familiar processes to ease the experience. Many are very comfortable with smartphone biometrics, for example, and regularly use their phones as part of the authentication process for banking, loyalty and retail apps. Done properly, SCA should become as intuitive to future shoppers as chip and PIN is for many today.