What the FCA’s 18th Month Delay with SCA Could Mean for Online Payments

By Aviram Shemer On Oct 7, 2019

The United Kingdom’s Financial Conduct Authority (FCA) recently announced an 18-month delay on its enforcement of the European Union’s Strong Customer Authentication (SCA) requirements. Whether it happens today or in a year, the changes will come into effect. Instead of burying their heads in the proverbial sand and blindly riding this wave of luck, payments providers, card issuers and online merchants should start implementing the prescribed changes right now, even if they’re not yet being enforced.

Though new regulations can often seem like a burden at first, the EU’s landmark SCA laws promote a host of strong technologies and best practices that will ultimately push the industry forward. Over the long term, the proliferation of these new technologies will produce marked improvements in approval rates, fraud rates and broader adoption of SCA in markets beyond the EU.

On the flipside, the longer merchants wait to implement these changes, the more opportunity there is for fraud and the higher the likelihood of growing pains once the 18-month grace period ends.

The Regulatory Landscape

The Second Payment Services Directive (PSD2) went live in January 2018, with the aim of creating an open banking market, with faster, safer and more transparent payments.

One of the key elements of PSD2 is that it mandates compliance with Strong Consumer Authentication standards. SCA standards enable merchants, acquirers and issuers to clearly identify shoppers in real time and ensure payment authorization.

A core principle of SCA is the phasing out of single-factor authentication. Having transaction authentication rely on one factor alone produces a single point of failure bad actors are becoming increasingly skilled at exploiting. SCA’s new mandate for transactions is that they require authentication via at least two of three key categories of identification:

something they know (e.g., a password, PIN or a secret fact)
something they own (e.g., their mobile phone, a wearable device or a token)
something they are (e.g., their fingerprint, facial features or voice patterns)

These new requirements may seem straightforward enough, but the additional friction and complexity they could introduce to online checkouts have merchants worried. One recent study estimated European e-commerce would lose $63 billion in the first year of SCA alone—nearly 10 percent of the sector’s $651 billion estimated annual revenue. And given the challenges previous authentication standards have faced, the concern is understandable.

Past Challenges

The Three-Domain Secure (3DS) authentication standard was first developed by Visa in the early 2000s. 3DS sought to reduce “card not present” (CNP) credit card fraud by requiring merchants to add a layer of payment authentication, like a password or code sent via SMS. Over the years, the technology spread and is now supported by most card schemes in the world.

There was one problem though: consumers simply didn’t like the 3DS experience, especially if they were trying to make a payment on a mobile device. Merchants saw customers abandon their shopping carts rather than go through an additional layer of security. Lower conversion rates and lost revenue caused many merchants not to include 3DS as part of their checkout flow.

Eventually, this prompted the development of a brand-new version of the protocol in October 2016. 3DS2 features improved authentication methods that seamlessly integrate into the checkout process, in a way that lowers impact on conversion. Most importantly though, the protocol was also specifically designed to be compliant with SCA standards.

Present Progress

The updated 3DS2 protocol differs from its predecessor in several important ways. First of all, 3DS2 employs smart filtering at the transaction level to divide transactions into either “frictionless flow” (for those determined to be trustworthy), or a “challenge flow” which prompts further authentication (for those deemed questionable). 3DS2 is also designed to embed directly into both web and mobile checkouts without requiring redirects or redesigns for various screen sizes.

Initial research suggests that 3DS2 can reduce checkout times by 85 percent and cart abandonment by 70 percent. Customers can be redirected to their bank’s mobile banking app to authenticate a transaction using biometric methods like fingerprinting or facial recognition. And through the sharing of more transaction data, the accuracy and number of approval rates by issuing banks will increase. Regulations like these can reduce false flags which will increase approval and conversion rates for merchants.

A Path Forward…

Online fraud is a mounting threat that shows little sign of slowing. In 2018 alone, an estimated £671 million was lost to fraud on UK payment cards, a 19 percent increase on the previous year. Despite the formal regulatory delay, the time to start taking action is now. Because, as hard as it sometimes is to believe, regulation often breeds innovation.

Just think about how many now-ubiquitous financial solutions first began life as regulations yet ended up advancing the entire industry—Card Verification Value (CVV) for example. The sooner we achieve stronger protection from online fraud, the closer we’ll be to achieving the most seamless transaction experiences possible.