How U.K. payment firms are bracing for Strong Customer Authentication
As 2020 dawns, a new decade will soon bring new levels of friction for contactless customers as a result of Strong Customer Authentication (SCA), a key part of the European Union’s drive to reduce card fraud across Europe.
SCA was initially supposed to come into force on September 14, 2019, but over the past couple of months it was postponed until December 31, 2020, by the European Banking Authority (EBA) amid widespread concerns across the U.K. retail industry that merchants would not be ready for the original deadline.
“Our research found that only 44% of businesses expected to be ready in time, and that the huge spike in failed transactions after implementation would cost the European economy €57 billion,” said Iain McDougall, U.K. and Ireland country manager for the payment service provider (PSP) Stripe.
While the EBA has made it clear that banks and retailers must use the extension wisely to avoid such a cliff-edge problem re-emerging, there are still considerable challenges afoot as the industry attempts to phase in SCA over the next twelve months.
While SCA will require consumers to enter additional forms of verification — typically one-time passwords sent to a mobile phone — when they spend more than £28 in a single transaction, so-called ‘false positives’ are also likely to occur where some transactions are mistakenly declined.
“This is of course a major inconvenience,” said McDougall. “It may also not be clear why a transaction has been declined, which will be a cause for concern amongst consumers who might understandably jump to false conclusions. Merchants need to make sure their payments setup is fully SCA compliant but that it also keeps the consumer experience at its heart. That means offering the simplest methods for two-factor authentication, and making sure the two-factor process is only invoked when necessary.”
To try and minimize such false positives, PSPs are investing in a variety of new technologies, particularly new ways of implementing biometric verification. Stripe recently acquired an Irish startup called Touchtech Payments, predicting this will help avoid the cost and perceived security weaknesses of text-based transaction confirmation, as well attempting to optimize their internal processes.
“To ensure transactions only go through two-factor authentication if they need to, we built a completely new core API, called Payment Intents, which includes an SCA engine that automatically picks out exempted transactions,” said McDougall. “Identifying which transactions can be considered exempt from two-factor authentication requirements under SCA is simply not possible for any individual merchant to do for themselves. There are thousands of card issuers across Europe that could each make different interpretations of the regulation. Stripe is doing the heavy lifting of working with issuers so that all merchants can take advantage of it."
But while system glitches and increased disruption for consumers are inevitable short-term consequences of the rollout of SCA, industry figures remain bullish that it will make a positive impact in the ongoing fight against fraud.
“It is definitely an important step towards reducing card fraud and identity theft,” said Christo Georgiev, founder and CEO of myPOS, a PSP offering mobile payment terminals and online payment solutions to the SME market. “Customer and merchant education on the matter is important to avoid negative and false perceptions about the new measures. We believe that it will help customers feel more secure, and so they will use their cards even more for online purchases.”
Stripe predicts that over the long term, one of the main impacts of SCA will be to encourage a steep acceleration in the adoption of biometric-based payments. In addition, with PSPs being forced to revamp their underlying APIs to prepare for SCA, this could lead to more intelligent payments systems, thereby reducing any friction relating to the online transaction experience.
“Over the longer-term, the rollout of SCA is going to change the face of online payments, just like the emergence of chip-and-PIN and then contactless has changed how we pay in person,” said McDougall.