E-commerce industry granted SCA stay of execution
Written by Peter Walker
It was announced this week that with only a month to go until the deadline for implementation of the Strong Customer Authentication (SCA) rules, the UK’s Financial Conduct Authority (FCA) has agreed an 18-month extension.
While this new plan will be welcomed by card issuers, payments firm and online retailers, there is clearly still a lot of work to do in terms of preparing the security technology, checkout experience and consumer expectations in time for March 2021.
Part of the second Payment Services Directive (PSD2) regulations being implemented across the European Union, SCA is defined as security authentication based on two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, so that the breach of one does not compromise the reliability of the others, to protect the confidentiality of payment data.
Playing for time
In June, the European Banking Authority (EBA) published an opinion on SCA, acknowledging that implementing the new standards might be difficult for some merchants, with many being at risk of missing the 14 September deadline, with this lack of preparedness having the potential for a significant impact on consumers.
While it explained that sufficient time has been available for the industry to prepare - given that the definition was set out when PSD2 was published in 2015 - the EBA acknowledged the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by those that are not Payment Service Providers (PSPs) such as e-commerce retailers.
It therefore granted additional time to allow issuers to migrate to compliant authentication approaches and acquirers to migrate their merchants to solutions that support SCA.
Jonathan Davidson, the FCA’s executive director for supervision for retail and authorisations, said that his team has been working with industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. “While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction.”
The FCA will not take enforcement action against firms if they do not meet the SCA requirements next month, so long as there is evidence that they have taken the necessary steps to comply with the new plan.
This reprieve comes as a relief for the UK e-commerce industry, as it followed warnings that Europe stands to lose €57 billion in economic activity in the first 12 months after SCA takes effect.
This was according to Stripe research among payment professionals at online businesses and 1,000 consumers in the UK, France, Germany, the Netherlands and Spain, which found that 40 per cent of businesses aware of SCA said they felt prepared to address its requirements.
Stranger than friction
In order to minimise the transactions for which SCA will be required, a set of exemptions can be made which allow, for example, recurring payments or small purchases (under £30) to be approved without extra layers of friction.
However, the challenge is that exemptions are complex to administer, especially for smaller retailers, and require visibility on how card networks and banks will apply exemptions across Europe.
The most recent version of 3D Secure (3DS) - which has been known by consumers under names such as Verified by Visa and Mastercard Secure Code - is emerging as a popular SCA-compliant way to accept payments online, but the survey showed one in four online businesses are not yet familiar with it.
Just 47 per cent of European consumers surveyed by Stripe felt current online checkout processes were ‘very easy’ and 74 per cent of Generation Z shoppers have abandoned an online purchase in the past six months due to a bad checkout experience. SCA is likely to make matters worse, as 73 per cent of shoppers were unaware of new authentication requirements.
If shoppers do not approve a transaction, by entering a text message code from their bank or scanning their fingerprint on their mobile, they may not be allowed to complete a purchase.
“The initial set of ideas had a really noble goal, which was to eliminate the cost of cardholder fraud, but the early drafts would have had impacts I could best describe as catastrophic or business-ending or interrupting for many customers,” stated Shane Happach, executive vice-president and head of enterprise e-commerce at Worldpay.
Security vs seamlessness
A report in July from the Emerging Payments Association (EPA), which spoke to 13 major UK issuers, found that 58 per cent thought too much friction is being imposed on the payments experience by the new regulations.
Once implemented, issuers predicted that in the short term the number of transactions declined will increase from today’s three per cent to between 20 and 30 per cent, while the number of step-up authorisation requests is expected to range between a third and half of all online transactions.
Siobhan McGinley, project lead for transaction insights and head of marketing at Judopay, explained that merchant awareness levels are “extremely low”, technical requirements have been late to be agreed, and solution availability is limited.
“The entire payments value chain from the merchant, through the gateway, acquirers, payment networks, right up to the issuer must be ready for these changes,” she stated, adding that the PSD2 Regulatory Technical Standards require SCA to be completed or else the issuer must decline the payment transaction.
The EPA research showed that the top approaches initially being adopted for SCA compliance are One Time Passwords (OTP) with delivery via SMS to a mobile phone as a knowledge element, authentication within a mobile banking app, card data as a possession element, and use of 3DS technology.
Issuers said that they expected OTP and 3DS to have a major negative impact on the user experience, with biometrics being seen to have a lower impact.
Half of UK e-commerce merchants have adopted 3DS v1, which is believed by many to meet minimal SCA compliance as it supports two-factor authentication and dynamic linking. On average, this version has a 10 to 12 per cent transaction abandonment rate, however, 30 per cent of issuers told the EPA they are currently planning to decline all 3DS v1 transactions for fear that the regulator may deem them to be non-compliant – although the FCA guidance may reduce this number.
“The merchant viewpoint is that they would prefer a 3DS v2.2 implementation as this supports the full range of SCA exemptions and therefore can deliver a good user experience,” read the EPA report, however less than five per cent of UK merchants are on 3DS v2.1 and first commercial availability of 3DS v2.2 solutions are not expected until the end of this year.
The rules are an attempt to curb escalating fraud levels, with annual losses from remote purchases and e-commerce now totalling £310 million out of the £566 million overall card fraud total.
Andy Mulcahy, strategy and insights director at the IMRG, said that on balance it’s a development that is going to cause problems, but is a positive step if it makes online transactions more secure in the longer term.
“I think we can envisage pretty significant teething problems if we think about the experience on the part of the customer - I’m not aware of much in the way of public awareness campaigns, probably because it’s so complicated - so people are not going to have a clue about any regulation coming in and you can see immediately what the problem will be.”
He pointed out that retailers tinker with elements at the checkout and sometimes the slightest thing can enhance or reduce conversion. “There are plenty which have implementetwo-factor pulled back again, as people don’t know their code and drop off.”
Mulcahy suggested that two-factor authentication would be the most popular method initially, as social media and finance firms already use it. “They might shift over to biometrics if some of the newer mobile payment methods become more popular but, to be honest, they do not represent anything like a significant share of sales yet.”
Andrew Cregan, payments policy advisor at the British Retail Consortium (BRC), welcomed the FCA’s delay to SCA enforcement, arguing that its smooth roll-out is essential to minimising any disruption in online transactions.
“The decision by the FCA avoids a payments cliff-edge, with phased implementation allowing retailers and banks time to put in place the necessary technical fixes required, and minimise any disruption in online transactions,” he stated, adding that the BRC is working closely with its members on this issue.
Dodging the SCA bullet
Not everyone was so happy about the extension though, with Duncan Barrigan, vice president for product at GoCardless stating that the industry cannot continue to kick the can down the road.
“It needs to start planning for SCA today or we’ll be facing the same panic in 18 months’ time, businesses must use this time wisely – to properly evaluate and improve the entire consumer shopping and payments experience.
“We may have dodged an SCA-shaped bullet, but the showdown will come around quicker than you think in March 2021,” he added.
Jason Tooley, chief revenue officer at Veridium, called the length of the delay “unacceptable” and highlighted the misalignment of expectations when consumers are entitled to secure digital experiences.
“Payment service providers have had nearly two years to prepare since the initial announcement, so there is no valid excuse for the delay in its enforcement apart from an unwillingness to participate,” he commented.
“Whilst it is true that consumers will see minor changes to their day-to-day spending, the additional layer of security on higher value payments will enable consumers to benefit from safer and more innovative electronic payment services – SCA will mean consumers are more confident when buying online, rather than acting as a deterrent to sales as some have incorrectly suggested.”
There has been some evidence of online brands making changes to comply – Zalando for instance recently implemented a two-stage authentication process after partnering with Ayden – but as the UK’s retail sector struggles, it remains to be seen whether there is the time or resource to get up to speed in time - even with the extension.