The Central Bank of Ireland and the UK’s Financial Conduct Authority (FCA) have delayed the implementation of strong customer authentication (SCA) over concerns that banks, payment service providers and merchants were unprepared for the change.
The original deadline for implementing SCA was 14 September 2019, but the Central Bank of Ireland says it will provide additional time to implement the necessary reforms, stating that it has been engaging with the payment industry “to develop a migration plan to implement SCA for ecommerce transactions as soon as possible after this date”.
The FCA has also agreed to delay implementation, announcing that firms in the UK will have an additional 18 months to make all the necessary changes and undertake the required testing.
The second EU Payment Services Directive (PSD2) requires that SCA be applied to all electronic payments within the European Economic Area (EEA) through the use of two independent sources of validation, or two-factor authentication.
This is a combination of knowledge, possession and inherence: something that the payee knows, such as a PIN; something that they have, such as a card or a phone; and something intrinsic to them, such as fingerprints.
On 22 August, the German Federal Financial Supervisory Authority said it would not object to payment service providers domiciled in Germany executing credit card payments online without SCA “for the time being”, while just three days before the 14 September deadline the Hungarian central bank said it would implement a 12-month transition period.
The European Banking Authority (EBA), on the other hand, only published in late June an opinion on the authentication approaches currently observed in the market and whether or not they are considered to be SCA-compliant for each of the three elements of knowledge, possession and inherence.
“Allowing each competent national authority to do their own thing when cross-border transactions are so commonplace is not ideal,” says Andrew Hewitt, director of payment and data solutions at FIS. “The EBA could also have issued guidelines earlier.”
“The extensions should be coordinated,” agrees Jean Lambert, senior banking and regulation expert at Gemalto, a digital security firm.
“A situation in which each country has its own delay could lead to difficulties. In that respect, the EBA and the European authorities should contribute to harmonizing the market, which is one of the main objectives of PSD2.”
Andrew Barber, a partner at professional services firm Pinsent Masons, acknowledges that the security burden caused by SCA will introduce additional friction to ecommerce in the short term.
“Until the payments industry works out how to collect additional authentication information seamlessly, payments will take longer and likely require more steps from the consumer,” he says.
Any merchant that doesn’t have a good handle on fraud prevention could find themselves struggling to find acquirers who will take them on as PSD2
– Jackie Barwell, ACI Worldwide
While the delay makes it technically optional to run 3D Secure (3DS) payer authentication on card transactions, most banks will have already implemented the associated changes and updated their fraud profiling accordingly, says Olivier Shaw-Latimer, director of global fintech at Blackbaud.
“Whilst non-validated transactions will not be systematically rejected for the duration of the grace period, it is highly recommended that 3DS is attempted regardless,” he says.
Jackie Barwell, director of fraud product management at ACI Worldwide, agrees that 3DS is the route most likely to be chosen by issuers as part of their implementation of SCA and says merchants need to conduct strong transaction risk analysis to help prove to their acquirers that they have fraud prevention “top of mind”.
“Any merchant that doesn’t have a good handle on fraud prevention could find themselves struggling to find acquirers who will take them on as PSD2, and specifically the rules around SCA have the side effect of an acquirer needing to understand each of their individual merchant’s fraud levels,” she adds.
“Any merchant with a poor fraud record could push that acquirer below thresholds that enable them to apply exemptions designed to mitigate the impact on the end consumer.”
Payment service providers (PSPs) are exempted from performing SCA when they can demonstrate that they manage fraud down to a low level, explains Marcus Hughes, head of strategic business development at Bottomline Technologies.
“In order to qualify for this exemption, PSPs need to have in place a series of transaction risk analysis mechanisms to detect unauthorized or fraudulent payment transactions,” he says.
“It is intended that a series of cyber fraud and transaction risk analysis techniques will help PSPs manage their fraud rates below the levels specified in the regulator