By Alison Donnelly, Director, fscom
How prepared are businesses to employ Strong Customer Authentication (SCA)?
Honestly, not as prepared as you would hope this far down the line. From our experience there is definite confusion around authentication codes and dynamic linking, many businesses are confusing these for One Time Passwords. If you are wondering, a One Time Password could form an element of SCA, however the
authentication code is generated after the application of the elements.
Most businesses in the financial sector are having to employ new systems and processes in order to accommodate these updates, and they can be expensive. Even big players like 3DSecure have had to upgrade their system to 3DSecure2.0 in order to become compliant with SCA, and even that has been far from a smooth process.
The financial industry has realized how monumental the task is and has requested an extension. The extension would also stretch to Common and Secure Communication (sometimes referred to as Open banking, misleadingly), meaning businesses with online payment portals would not have to open up access to these portals to Third Party Providers on the 14 September. However, the response from the European Commission was unsympathetic to businesses although it did stop short of saying a delay would never happen.
What difficulties will businesses face transitioning to SCA?
Limiting transaction abandonment and implementing compliant systems will be the biggest challenges for businesses. The unfortunate reality to increasing the security of online payments is that it can hurt the customer experience; it is the common challenge in any payment transaction, security vs customer experience. It is a challenge that the financial industry has always faced, and SCA is just the newest actor in this challenge. Businesses will have to fully utilise the exemptions afforded to them in the legislation in order to keep the customer experience from becoming overly burdensome.
When considering the difficulties that businesses will face it is important to remember the scope of the businesses caught within the regulatory net. The businesses range from huge multi-national banks all the way to Bureaux de Change that happen to have an online portal for basic money remittance. Many of the smaller businesses do not have the necessary systems to implement these controls, and their systems will need to be completely re-configured – that is a tall order considering even the biggest companies are struggling.
How will authentication codes and SCA’s enhanced security features ensure transactions are safe?
The best way to think about SCA is in two steps, Two-Factor Authentication (2FA) and the authentication code. You are likely very familiar with 2FA, and although it isn’t a regulatory requirement, it is the industry standard for customer authentication. 2FA is far more secure than a username and a password because it requires two separate elements to be compromised before the account can be accessed by a malicious party. What separates SCA from 2FA is the introduction of authentication codes and the requirement to dynamically link these codes. So, what is the point of the authentication codes and why dynamically link them?
The best way to think about SCA is in two steps, Two-Factor Authentication (2FA) and the authentication code.
The authentication codes form an auditable trail for the usage of SCA: it will become clear if a transaction is disputed that SCA was used because an authentication code was generated. When a user sends a payment, this code will be dynamically linked to the payment details, protecting against man-in-the-middle attacks. The usage of these additional features means calling SCA ‘just mandated 2FA’ would be very misleading.
This system is not utterly without weakness, the most obvious weaknesses are phishing attacks and the usage of SMS. Whether or not the use of SMS to send One Time Passwords is compliant with the conditions of SCA is a point of contention within the European Economic Area, however the FCA have taken the view that SMS is compliant. The issue with the usage of SMS is the fact it isn’t a secure message delivery service, as Metro Bank have discovered recently.
Will SCA disrupt the customer experience?
Customers have definitely gotten used to lax security, especially during online shopping, so SCA will likely affect the customer experience. However, it is up to the business to effectively use the exemptions in the legislation to minimise the friction. There are nine exemptions:
- 90-days payment account information;
- contactless payments at point of sale;
- unattended terminals for transport fares and parking fees;
- trusted beneficiaries;
- recurring transactions;
- credit transfers between account held by the same person;
- low-value transactions;
- secure corporate payment processes and protocols; and
- transaction risk analysis.
Businesses will have to ensure they are applying these exemptions in order to stay ahead of their competition.
Even with these exemptions applied it is unlikely that online shopping will be quite as smooth as it is right now. There is a hope that, as the industry develops its approach, the process will get smoother when compared to how it will likely start. As the approach develops there should be a larger uptake of the ‘transaction risk analysis’ exemption – at the moment the majority of the industry is unable to avail of this exemption due to the technological requirements and the strict fraud rates.