As the implementation of PSD2 approaches, Paul Conroy from Square 1 answers some important SCA questions.
Strong customer authentication (SCA) is a new set of rules governing how online payments will be made. It is part of the revised Payment Services Directive (PSD2), and comes into effect on 14 September. These rules aim to improve the security around online payments, reducing the likelihood of fraud.
How is SCA going to work?
The most common way of requesting additional authentication for online payments will be via an update of the much-maligned 3D Secure system. Fortunately, this sequel is more Toy Story 2 than The Matrix Reloaded – far superior to its predecessor.
3D Secure 2 (3DS2) has been redesigned in order to provide a more integrated and frictionless experience. It allows retailers to send more data about each transaction to the cardholder’s bank. This can include payment-specific data, such as the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history.
The cardholder’s bank can use this additional information when assessing the risk level of the transaction. If the bank trusts that the real cardholder is making the purchase, the transaction is sent through a ‘frictionless’ flow – no 3DS2 dialog is visible and the transaction is completed without additional input from the cardholder.
If the bank needs further proof of identity, the cardholder will see the new 3DS2 interface. Unlike the previous iteration, the new version is designed to fit far more seamlessly into existing checkout flows. It does this by using elements such as in-page modals on the retailer’s checkout page rather than external page redirects.
In addition to the visual updates, 3DS2 has been designed for the age of the smartphone. While it will be possible for a customer to receive an SMS with a code or enter a password, banks may choose to offer more innovative solutions such as authenticating web-based payments using a fingerprint or facial recognition within a banking app.
With an expected increase in 3D Secure usage to come, the hope is that the improved flow of 3DS2 will prevent cart abandonment from rising at the same speed.
Will SCA be required on every online transaction?
There are a limited number of exemptions for SCA, with the most common expected to be:
- Low-risk transactions, where the fraud rate of the card provider and bank are both below expected levels proportionate to the transaction
- Low-value transactions (payments under €30)
- Fixed-rate subscriptions (online streaming services where price doesn’t change)
- Merchant-initiated transactions (delayed payments, add-on billing)
In these cases, additional authentication won’t be required. Yet the issue for retailers is that not all banks will have systems in place to approve all of these exemptions by 14 September. Even after that date, exemptions may be granted inconsistently between banks. This means that retailers must build payment flows that assume exemptions won’t be granted, requiring full authorisation by the customer.
Will retailers need to re-authenticate existing saved cards?
Card information saved before 14 September is to be grandfathered in and considered authenticated. For retailers such as Amazon, the customer will be logged into the site when trying to use the card so, depending on how 3DS2 is implemented by their payment processor, re-authentication of a saved card can be done without requiring re-entry of card information.
It’s a little different for subscriptions where the card is being charged without the user present (online newspapers, streaming video services etc). There should be no need for re-authorisation at each billing period. If the price of the subscription changes, the bank will evaluate the risk of the transaction (cardholder history, retailer history, bank’s own fraud rate) and may choose to ask for additional authentication, or may allow the transaction to be exempted from SCA.
The major challenge for retailers is that responses from different banks to the same types of transactions are likely to be inconsistent. The critical task is building payment flows in a resilient way, to expect authentication challenges at all stages of transaction processing.
Are there scams to watch out for in the transition to SCA?
While banks and businesses adjust to the post-SCA world, it’s expected that there will be a period of heightened requests for authentication. Customers can expect to receive an increased number of genuine ‘please update your saved card’ mails from retailers and subscription services.
As was the case with GDPR, we can expect to see a similar increase in phishing emails from opportunistic scammers, so it’s important to remain vigilant when asked to enter card details on any site.
SCA covers the EEA. What impact will Brexit have?
Unlike most things Brexit-related, with SCA there is certainty. The regulation is expected to be enforced in the UK, regardless of if, when or how Brexit ultimately happens. In fact, the UK’s Financial Conduct Authority (FCA) recently added some more clarity to the current situation. It has adopted the recommendations of UK Finance (a banking and financial services trade group) on enforcement.
Highlighting concerns around consumer awareness as well as merchant and issuer readiness, UK Finance made the case for a phased roll-out, rather than the ‘big bang’ approach we saw with GDPR, for example. This could be summarised simply as no change for six months, followed by baby steps.
That this proposal was accepted means there’s a window of 18 months in which SCA will be on the books but at varying levels of implementation and enforcement in the UK.
The Irish Central Bank has mentioned a “limited mitigation period”, with several other EU authorities making similar noises, but the FCA is the first to put some date-related meat on the bones of the delay.
Does the 14 September deadline still apply?
Many businesses have been pushing to get ready for the deadline of 14 September, but some are now pumping the brakes and looking to take the extra time to review their approach and decide if they really want to continue, given the relative uncertainty.
You can expect a number of businesses will take a ‘wait and see’ approach for a few months, then we’ll likely see another late dash when the next deadline rolls around.
By Paul Conroy
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.