Strong Customer Authentication (SCA) is a key part of the Second Payment Services Directive (PSD2) and a vital measure to counteract the rise in online fraud. As the new security framework for digital payments, SCA has been a long time coming – and now the implementation deadline has been extended yet again.
This blog outlines the history of SCA, what it means in practice, the reasons for the latest extension, and why it’s imperative to prepare thoroughly for the new framework.
Background and delays
The European Central Bank issued recommendations for SCA at the beginning of 2013, and they were incorporated in PSD2 when the new directive was introduced in 2018.
Under SCA, payment service providers must apply strong authentication when a payer initiates electronic payments online or uses any remote channel that is at risk from payment fraud.
SCA came into force on 14 September 2019, but the Financial Services Authority (FCA) allowed extra time to implement the rules because of concerns about industry readiness and the potential effect on merchants and consumers from increased friction at checkout. Then, due to the , a second extension was granted in April 2020.
Why another delay?
Preparing for SCA has proved complex and challenging. It needs industry coordination and commitment, and the ongoing impact of Covid-19 has only added to the difficulty in creating the infrastructure in time. Above all, it is a technical challenge that requires guidance and support to implement the authentication measures and ensure compliance.
The latest extension is unlikely to be repeated for the fourth time, and the FCA says that firms who fail to meet the new deadline will be subject to “supervisory and enforcement action”, which could mean hefty fines for those who aren’t compliant by March 2022. Covid-19 has added a new urgency to this deadline, as the huge increase in online payments during the pandemic has seen a corresponding rise in payment fraud.
It’s also worth noting that the European Union has resisted further extensions. Across the EU, SCA has already gone live and the European Banking Authority (EBA), in contrast to the FCA, has ruled against more delays. This makes it even more important for the industry to meet the requirements for SCA.
Fraud versus friction
While no one disputes the growing risk and incidence of online fraud, nor the need for robust countermeasures, tighter security can introduce friction to the payment process, which is frustrating for consumers and jeopardises merchants’ conversion rates.
The goal is to find the right balance between fraud and friction, ensuring that authentication is as smooth as possible while protecting consumers. This is where 3D Secure version 2 comes in, and the deadline extension should be used wisely so that the security framework is configured for optimum efficiency.
SCA and 3DS2 in practice
Implementing SCA involves two-factor authentication. This means that when a payment is challenged because of a security concern, two out of three possible authentication checks must be completed. Namely, something only the user knows, possession (something only the user has), and inherence (something the user is).
These checks are the basis of the security protocol 3D Secure version 2 (usually abbreviated to 3DS2). Under version 1 of the protocol, introduced in 1999, transactions are completed using password protection, which means you are redirected to a new page to authenticate yourself. This increases cart abandonment because it is clumsy and not suitable for today’s world of e-commerce and mobile transactions.
While 3DS2 eliminates the redirect issue and heightens security by drawing on far more data points, it has not been universally embraced. There are fears that it will involve too many security challenges and thus impact consumer experience and dent sales.
There are reports of declining conversion rates in countries that have already actioned SCA, but the success of SCA depends on how 3DS2 is implemented and the amount and quality of data that is accessed. ‘Frictionless flow’ is possible when sufficient high-quality data is shared and exemptions are fully applied, thus making the authentication process invisible.
In addition, it is likely that greater use of biometrics, which satisfies the inherence option in two-factor authentication, will help to make payment checks as seamless as possible.
Meeting the new deadline with Banfico
The challenge for market participants is to implement SCA by March 2022 and make it work as intended – in other words, maximum security, minimum disruption. This is no small undertaking, as creating and testing the security infrastructure, and ensuring it complies with the (the legal framework for SCA), is both complex and demanding.
Merchants must collect and share far more information than previously, which involves a learning curve and a period of adjustment. Teething problems are inevitable with 3DS2 migration, which is why it’s essential to use the additional time wisely and seek the right support and guidance.
Banfico believes that the latest extension is a sensible measure. As a PSD2 expert and open banking solutions provider, we can help organisations negotiate the steps for SCA compliance and ensure they are ready for the new deadline.