Businesses not ready for SCA, worried about impact on UX: report

1^st August, 2019

A report released by the Emerging Payments Association has highlighted that the implementation of Strong Customer Authentication is a cause of concern at this juncture.

The purpose of the new Strong Customer Authentication (SCA) rules is to make online payment more secure and to cut down the risk of fraud. Even as the readiness for the same is being assessed, a report has highlighted that 75% of issuers said they would be ready by the 14th September deadline, from a compliance standpoint, but that they would not be operationally ready. New requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2).

The PSD2 Regulatory Technical Standards (RTS) specify these SCA requirements. SCA is based on the use of two or more of the following elements: knowledge (something only the user knows); possession (something only the user possesses); and inherence (something the user is).

The report, released by Emerging Payments Association (EPA) and Chargebacks911, features companies that issue over 107 million cards (comprising 61% of all cards issued in the UK). It is being recommended that more time is required. The enforcement of SCA at this pace is “likely to be extremely high and painful”. Rather, a managed rollout is needed.

Some of the key findings:

• The payment experience is going to be adversely impacted. More than half (58%) of the 13 UK issuers surveyed believe the new regulations are going to add friction. The SCA requirements are going to impact the speed of consumer transactions and the number of steps to be completed when paying. One of the major concerns has been the inclusion of additional authentication into the checkout flow, since it introduces an extra step that can add friction and increase customer drop-off.

• The number of transactions that are not going to be accepted is set to rise from today’s 3% to between 20-30%, according to what is being projected by issuers. While the number of step-up authorisation requests is expected to range between a third and half of all online transactions.

• The top three authentication methods being studied by issuers include; One Time Passwords (OTP) (SMS to a mobile device), authentication within a mobile banking app, and 3DS. Among these, OTP and 3DS authentication are expected to adversely impact the user experience.

• There is limited support of 3DS v2.1 today. Despite this, 66% of surveyed issuers expect to be ready by the end of 2019. 3DS v2.1 has an advantage over 3DS v1 because it has a surety of satisfying SCA legal requirements.

In an interview in April with Ai, Laurie Gablehouse, Global Head of Travel Solutions, Ingenico ePayments, did mention that it is a challenging phase for the entire payment ecosystem. Laurie pointed out that the standards are still evolving, with grasp over “80% - 90% of what needs to happen”. “(So) the timing is quite late from a technical perspective for everybody to be ready by September.” 

A major development in the recent past featured the European Banking Authority (EBA) as it published an opinion on the elements of SCA and accepted authentication in June. The report acknowledged the same, and shared that considering the recent EBA ruling on compliant SCA elements issuers are required to accelerate their support for biometrics merchants are advised to implement 3DS v2.1 now and then migrate to v2.2 once solutions are fully tested and available.

In its list of recommendations, the report emphasised that 3DS technology must be implemented as a priority. Rather than being bogged down by feeble v1.0 implementations, gear up for v2.2 as early as possible with v2.1 as a practical interim step. A couple of other suggestions:

• Actively engage with collaboration tools offered by Visa (VMPI) and Mastercard’s upcoming MDRI (Mastercard Dispute Resolution Initiative), which help combat fraud in realtime and maintain TRA exemptions.

• Make sure you correctly flag transactions and apply the right indicators and exemption requests. This may also require support for updated authorisation message formats.

Hear from senior executives about how the regulatory environment is impacting the world of payments at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).