New Strong Customer Authentication (SCA) rules came into force on March 14th, 2022 in the UK, and failure to follow them may result in customer payments being declined.
Nick Caley, UK head of ForgeRock is familiar with these rules, revolving around verification and authentication in payments. With twenty years of experience covering all aspects of Information Security, Nick Caley, UK head of ForgeRock has advised global clients in industry and government on security strategy and the operational capabilities that enable organisations to protect their most valuable assets. With ForgeRock, Nick is responsible for Financial Services and Regulatory with a focus on guiding organisations to deliver successful outcomes beyond compliance with GDPR, PSD2 and Open Banking.
Here he shares his thoughts on why online retailers must take SCA seriously after the March deadline.
Within the sphere of online retail, the UK leads as one of the most sophisticated e-commerce markets in Europe. UK customers are unafraid to seek out the most cost-effective purchasing routes, which explains why a quarter of all UK retail sales were made online in January this year, still 10 per cent higher than pre-pandemic levels.
Europe is a hotspot for API-based innovation, with customers enjoying huge surges in the embedded payment systems market. Klarna’s ubiquitous “buy now, pay later” technology reached 18 million global monthly active users in 2021 via their app alone, a leading name within an industry that will exceed $138billion by 2026. Even businesses that sit outside fintech are set to take part in the action: in a study by Solarisbank 61 per cent of respondents signalled their willingness to use financial products from brands such as Lidl and IKEA.
With an increasing number of fintech services on the horizon, more and more companies fall under the regulatory eye of the Payment Services Directive Two (PSD2) in Europe, or the Payment Services Regulator (PSR) in the UK. The PSD2 has encouraged a wealth of innovation in fintech by requiring banks to provide third-party services with direct access to their customer’s financial data, transforming the payments landscape into a competitive data-sharing ecosystem.
As part of the PSD2’s aim to nurture a strong consumer focus, a major milestone has been to introduce Strong Customer Authentication (SCA) as a mandatory process for online consumer payments. The objective of SCA in e-commerce is to deter checkout fraud (which reached $20billion in 2021) by requiring retailers to more stringently verify the identity of customers who conduct an online transaction. SCA has the added benefit for retailers by sharing accountability for fraudulent transactions with the card issuers, which helps keep the ecosystem working toward a common objective.
From September 2019, Europe has embraced SCA as a legal requirement of the PSD2, meaning that most card payments and bank transfers already require it. Under the PSR, UK merchants have had more time to make the necessary changes within their payment flows to make room for the SCA as a mandate.
In the UK the SCA compliance deadline was initially set as 14th September 2021. Two extensions were made after the Financial Conduct Authority (FCA) noticed a considerable lack of preparedness in many banks, that had failed to incorporate robust APIs to handle the additional service strain.
With two extensions, and a helpful push by strategies such as the “Ramp Up” plan by UK Finance, the body for retail banking and payment services, the final deadline passed on 14th March 2022. Many card providers indicated their readiness by issuing “soft declines” from the start of this year for any non-compliant transactions; a gentle nudge before the hard-edged deadline for anyone leaving it until the last minute.
What does the SCA involve?
The way SCA works is that when a customer attempts to make an online payment, they must first supply two more pieces of information to establish their identity in addition to their card data. The additional pieces of information must fall within the following three categories: knowledge (e.g. passwords), possession (e.g. a push notification on their phone), or inherence (e.g. a fingerprint or other biometrics).
The bank will be accountable for implementing the SCA in the majority of cases, but merchants must ensure that their payment flows allow for this identity proofing. It is, therefore, something that requires action and buy-in from all elements in the consumer payment journey. To ensure a smooth transition when the rules take effect, card systems, payment processors, banks, and merchants all will require an upgrade.
Risks of implementation
As with all regulatory shifts, there has been some backlash against the implementation of the SCA. For example, online merchants have raised concern over the impact of longer wait times on the consumer journey. If the average website loads in one second, and 40 per cent of consumers will wait no more than three seconds before abandoning a site, merchants have a small window of time to avoid upping their consumer bounce rate. Payment service providers must be ready for a spike in traffic after the compliance date, to avoid the risk of consumers abandoning shopping carts out of frustration at a slowed user journey.
There is also the issue of accessibility for older people and others without digital access. The SCA presumes that most customers will have a smartphone with an up to date operating system to enable in-app push notifications, but if only one in five people over 75 have a smartphone at all, payment providers must offer alternate verification methods, such as one-time-passwords (OTPs) over text or email. Flexibility and feedback will be key.
These risks have been noticed in Europe, amid a surge of merchant frustration over significant increases of transaction failure rates, reaching an estimated 31 per cent compared to the pre SCA rate of 2-5 per cent. Some European consumers are experiencing “difficulties” in the checkout process, which results in confusion and subsequent abandonment of transactions – negatively impacting conversion rates for a range of online retailers.
A fingerprint away from the finish line
There is, of course, a benefit to the UK having longer to prepare for the SCA compliance deadline, merchants have been able to watch and learn from issues arising in Europe and take the time to consider payment solutions most appropriate for their business. The UK also reigns supreme in infrastructure readiness for most PDS2 and Open Banking related measures, which is likely to cushion the blow of the majority of these changes.
Many UK consumers are also keen on the implementation of secure modern identity verification techniques. In a survey of UK cardholders, Visa found 66 per cent of people believed biometric authentication to be easier than passwords. UK Finance has echoed this view and recommended biometrics, such as fingerprint recognition, as the preferred solution for SCA compliance going forward.
Issuers that already offer OTPs for transactions are also at an advantage. The SCA will require two additional forms of authentication alongside a user’s card details, and biometrics could be the ideal second authentication solution for many use cases, not requiring the strain of remembering an additional password or device.
However merchants and payment service providers tackle the upcoming changes, the hard deadline is rapidly approaching. It is their responsibility to ensure a smooth transition into SCA processes so that customers perceive the movement as a benefit to their security, and not a negative change to their checkout journey.