What does the delayed SCA implementation mean for the payment ecosystem?
November 2019 by David Orme, Senior Vice President at IDEX Biometrics ASA
In August 2019, the Financial Conduct Authority (FCA) announced an 18-month delay to the enforcement of the new Strong Customer Authentication (SCA) rulings under the second Payment Service Directive (PSD2). The rulings were originally introduced to enhance the security of payments and limit fraud during the customer authentication process for online and in-person contactless payments.
Online, or card-not-present (CNP) transactions, and contactless payments are two of the main routes to card fraud. Because of the lack of a PIN or authentication method, these forms of payment present a specific challenge for retailers to verify the actual cardholder and validate their payment effectively. The introduction of SCA aims to reduce high levels of online and payment fraud caused by this process, all while enhancing consumer rights.
For merchants in the European Economic Area, the SCA ruling means they must now require two methods of authentication for CNP transactions. This means when a retailer takes a payment without the card being physically present, such as for an eCommerce transaction. When the directive is enforced in March 2021, two of the below three authentication methods must be used to confirm a CNP transaction:
1. Something you know - such as a PIN or password
2. Something you have – possession of the card or a bank-issued card reader and one-time PIN
3. Something you are – biometric data
The additional authentication process also applies for some contactless payments, with shoppers having to enter a PIN for every fifth transaction, or after a certain spending limit has been reached, currently considered to be £100.
Why the delay?
The SCA ruling will affect the whole payment market, including card issuers, payment providers, online retailers, in-store merchants and consumers. However, the European Banking Authority (EBA) this summer noted a significant lack of preparedness for the regulation among the payments industry and retailers, which is likely to have a significant impact on consumers.
The extension to the deadline is intended to give the industry time to prepare for the roll out of the directive. To address the industry’s lack of readiness, the FCA has created an 18-month plan which provides support and steps those within the payment ecosystem need to adopt to implement SCA.
Discussing the introduction of SCA, Jonathan Davidson, Executive Director for Supervision, covering Retail and Authorisations at the FCA, has said, “The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction.”
The preparation timetable
So, given their lack of preparation, how does the payment market get ready for the roll-out of the ruling between now and the new deadline of March 2021?
The suggested industry solution is to use a one-time passcode (a possession factor) plus another factor (with knowledge, such as PINs only as fallback). According to the FCA, while the industry is still implementing this approach, the most important step is to start clear communication with consumers now. Retailers and banks should already be open and transparent with customers to minimise the risk of unexpected disruption to payments.
To provide this level of communication, retailers and suppliers need to educate themselves regarding the issues and requirements needed to ensure they are SCA compliant. The so-called ‘learning period for implementation’ runs up to March 2020, by which time the financial authority expect retailers to understand the regulatory requirements and have begun to take steps towards technological readiness.
By this point, merchants should be actively testing to ensure their solution will work correctly by the following year. Then by March 2021, the FCA expect to see operational readiness and a solid ‘issuer behavioural solution’ from all retailers and financial institutions, to meet the regulation deadline.
Biometrics: the long-term solution to secure payment authentication
While one-time passcodes are considered the interim solution, the FCA also outline that long-term, authentication through biometrics and mobile app-based solutions is the future of secure payments. Adopting biometric payment cards or using fingerprint readers on smartphones to authenticate online payments offers an important way for retailers to balance security measures that comply with the SCA regulation with ease-of use for the consumer.
Following smart fingerprint biometric payment cards, the user registers their fingerprint on the card at home through a portable enrolment device. Once the reference fingerprint is recorded, it never leaves the card so data cannot be hacked. The biometric bank card can then be used with existing payment infrastructures — including eCommerce, chip and PIN and contactless card readers — in the usual way. The sensor is placed in such a position to make it easy for the consumer to simply hold and tap their card with their thumb or finger over the sensor, meaning that even post-SCA contactless payments can continue quickly and easily, without PINs or payment limits.
For online payments, biometric payment cards offer further possibilities to strengthen the security and SCA compliance for e-commerce retailers. The addition of a digital dynamic Card Verification Value (CVV) number on the front of the card would present a new code whenever the card owner’s fingerprint is presented on the card. This means that the traditional payment card would be transformed and consumers would be protected against both the theft of static card numbers for fraudulent online transactions and physical card theft.
The implementation of biometric fingerprint payment cards across the payments market would ensure that card issuers, payment providers, online retailers, in-store merchants can all meet the SCA requirements for online and contactless transactions.
Therefore, fingerprint biometric smart cards are a way of putting payment security firmly in the hands of the consumer in line with the SCA requirements. As the payment ecosystem works to meet these guidelines it should look towards this biometric innovation to provide secure authentication with the convenience that consumers expect and demand.
Fail to prepare, prepare to fail
During the delay, it is the responsibility of the payment ecosystem to ensure they understand the new regulations and implement methods to protect consumers from fraud. Security measures must be put in place to comply with the SCA requirements sooner, rather than later.
If the payment ecosystem fails to prepare, or comply with this new ruling, it will open consumers up to a significant threat of card fraud, whether from shopping online, or in store. Therefore it is imperative that card issuers, payment providers, online retailers and in-store merchants act now to prepare for the new regulation. Biometric fingerprint payment cards offer an opportunity for banks, retailers and merchants to embrace payment innovation that will help them meet these new secure forms of authentication with confidence and ease.