The deadline for online retailers to facilitate Strong Customer Authentication (SCA) is arriving this Monday, 14 March 2022, and those who miss the deadline risk having their online card acceptance capabilities stopped.
Set out by the Financial Conduct Authority (FCA), SCA outlines a new set of rules that promote consumer safety throughout e-commerce. Although originally put forward in the Payment Services Regulations 2017 (PSRs), the deadline for full implementation had previously been set back; predominantly due to the effects of the pandemic.
However, the FCA has announced that there are to be no further setbacks and the final date for merchants to fully support the system is coming into force this Monday, 14 March 2022.
The system requires merchants to authenticate the identity of their consumers through two out of a possible three avenues:
- Knowledge (something only the payer knows) – examples include a password, PIN, passphrase, or secret fact/answer)
- Possession (something only the payer possesses) – examples include their mobile phone, smart watch, smart card or a token
- Inherence (something the payer is) – examples include a fingerprint, facial recognition, voice patterns, DNA signature and iris format
The changes will mean that when customers buy something online, they will be asked to verify their identity, for example, through their banking app or a one-time passcode via text or phone call.
From 18 January card issuers started to decline some non-compliant transactions, with all non-compliant transactions set to be declined after the 14 March deadline. Retailers are therefore strongly urged to ensure readiness as SCA requests will be stepped up from the beginning of next week to avoid a cliff edge implementation.
Payment providers are ready to help online retailers upgrade their payments process to support SCA compliant transactions if they have not done so already.
Adam McElroy, Director, Cyber Security at KPMG UK comments on whether banks will be ready for the impending Secure Customer Authentication (SCA) deadline on 14 March:
“Banks have been preparing for a successful launch of Secure Customer Authentication (SCA) since September 2019. Ahead of the next deadline on 14 March, many financial service providers are now updating their consumer applications and finalising communications to both commercial clients and customers – therefore, we should expect them to be ready to step-up their authentication measures when the deadline arrives.
“I hope that all payment processors banks make a successful and seamless transition to SCA and continue to improve consumer confidence in the digital economy. Recently, financial institutions have been faced with rising fraud rates as well as an intense period of change and uncertainty which has cast doubt in the eyes of the consumer in banks’ ability to keep their assets safe and support them through times of need.
“But this new added layer of security will put more ownership in the hands of the consumer in terms of sharing their personal verification information, helping to restore that all-important trust factor.
“Facilitated through open banking, banks are now at the heart of the digital economy – strengthening the connection between a bank and their customers through SCA should engender deeper trust and revitalise people’s confidence in modern banking.”
When is SCA required?
SCA will be required whenever a consumer a customer needs to interact with their payment accounts online. If for example, they initiate a payment transaction or carry out an action through a remote channel which may imply a risk of payment fraud or other abuse, their identity will need to be authenticated.
The purpose of SCA is to provide online payments and payment activity with the additional layer of security, something that is particularly poignant considering the recent acceleration of online payments.
According to UK Finance, 72 per cent of UK adults used online banking and 54 per cent used mobile banking during 2021. But with large levels of participation come even larger potentials for financial fraud and cybercrime.
Jana Mackintosh, Managing Director of Payments and Innovation at UK Finance said:
“Fraud is a growing problem, with criminals stealing more than £750million in the first half of 2021 alone. That is why it is more important than ever that additional protections like Strong Customer Authentication are put in place.
“For retailers, implementing SCA will provide customers peace of mind that payment processes are more secure. The industry and stakeholders have worked tirelessly to get ready for this change and we encourage any retailers who have not yet implemented SCA to act as soon as possible to ensure the new protections are available to all.”
The downside of SCA
The purpose of the SCA is to stamp-out card-not-present fraud, alongside all of its over derivatives. However, some key industry figures have pointed out how the implementation of SCA will make online payments much more difficult, and may even go so far as to discourage consumers from shopping online.
“The new SCA rules add more protections for the consumer — but they also add more friction to the consumer checkout,” Maria Palmieri, Head of Public Policy at Yapily explains. “As the card payment experience becomes more cumbersome, we can expect to see rising demand for alternative, one-click payment methods at the same time.
“Instant transfers made directly from one bank account to another via open banking, for example, are reducing the potential of card fraud as well as lengthy settlement times for the merchant.
“The direction of travel is clear; the new SCA rules are the latest indication of a growing shift in momentum away from cards towards more innovative, slicker payments processes for businesses and consumers.”
“Paying by card is about to get a lot more painful thanks to the implementation of the new Strong Customer Authentication (SCA) rules,” added Siamac Rezaiezadeh, Director of Product Marketing at GoCardless. “Consumers making online payments will now be faced with interruptions to their payment journey and asked to take extra steps to verify their identity. These added layers of security are yet another example of the card industry adding inconvenient bolt-ons to compensate for the fact that cards were not designed for an online world.
“We’re already seeing surging interest in payment methods that can solve for this imminent headache. Payments that come directly from a customer’s bank account, such as those powered by open banking, are SCA-compliant by design because authentication is built seamlessly into the checkout flow. This offers the streamlined online payment experience people have come to expect, and limits conversion and churns risk for businesses.”
As Ed Whitehead, MD EMEA at Signifyd points out, SCA is by no means the only fraud prevention measure that merchants and consumers will ever need, and there are in fact many areas where the reach of this scheme won’t satisfy.
He explains: “The new payments regulation, is a once-in-a-generation change with the potential to massively disrupt an enterprise or to push an enterprise ahead of its competitors when it comes to customer experience.
“But while SCA itself will be a vital pillar of protection for merchants and consumers alike, there is more to fraud and more to fraud protection than simply deploying an SCA solution. It is not, as some have mistakenly assumed, the only fraud solution a merchant will ever need, and one only need to look to the European countries where enforcement has begun in order to understand the limits of SCA’s fraud protection.
“Many transactions are not subject to SCA, and whilst this is a saving grace for merchants who are worried about online customer experience, it means they will still be vulnerable to fraudsters who will inevitably target the transactions which are exempt from this added SCA layer.
“Merchants should also consider the fact that a low-fraud rate will be vital for providing a top-notch customer experience once SCA is enforced, and this is only possible by ensuring they have the most robust defences in place.
“Fraud rates and risks vary by retailer and even by retail vertical. But as SCA rolls across Europe and becomes enforced in the UK, it is clear that the new regulation is not a be-all fraud solution and merchants will need to consider other fraud solutions to protect their business and maintain an excellent customer experience online.”