Background to SCA and PSD2
The new EU Payments Services Directive (PSD2) came into effect in January 2018, bringing in new laws aimed at enhancing consumer rights and reducing online fraud.
A key element of PSD2 is the introduction of additional security authentications for online transactions over €30, known as Strong Customer Authentication (SCA). It means customers will no longer be able to checkout online using just their credit or debit card details, they will also need to provide an additional form of identification.
What is Strong Customer Authentication?
SCA adds an extra layer of security when customers make a payment online. Until now, shoppers have been able to simply enter their payment details and complete their purchase (although some businesses voluntarily choose to ask for further authentication).
SCA is designed to make paying online more secure and, consequently, reduce payment fraud.
In real terms, however, this means that more than 300 million ordinary European consumers will regularly have to change the way they buy online, introducing an extra layer of friction at the checkout for everyday transactions.
How does SCA work?
SCA is a form of two-factor authentication designed to prove that customers are who they say they are, with specific rules around what constitutes “authentication”.
It requires two forms of validation out of three available categories.
What are the three categories?
- Something you know (e.g. PIN)
- Something you have (e.g. Card/phone)
- Something you are (e.g. fingerprint)
Only when the payer has been able to provide two of these forms of authentication, will they be allowed to complete their payment.
Why is SCA needed?
Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. Fraud losses on UK-issued cards totalled £671.4m in 2018, a 19 per cent increase from £565.4m in 2017, according to UK Finance. UK card fraud now accounts for half of all losses across Europe, driven by data breaches and online scams, according to predictive analytics firm FICO. In 2018 €1.6bn worth of card fraud was recorded across 19 EU countries, including Ukraine, Russia and Turkey.
When does SCA come into force?
The deadline for SCA compliance has been delayed by 18 months with an agreed phased roll-out plan to move the UK to full compliance by 14 March 2021. The deadline for businesses to enact Strong Customer Authentication (SCA) was originally the 14 September 2019. However, on 13 August 2019, the Financial Conduct Authority (FCA) stated enforcement would include a phased 18-month implementation.
How will SCA affect my customer payment journey?
In short, it’s going to be a bit more complicated.
Until now, authentication was only required on an exceptional basis where the risk of the transaction was regarded as “high”. You would find yourself being transferred to a 3D Secure gateway, for example, and asked to plug in additional information. This is commonly known as a “step up”. After 14 March 2021, additional authentication will be the new default. All qualifying transactions will be required to be “stepped up” unless an exemption applies. As the UK moves towards full compliance by March 2021, it is anticipated that 95 per cent plus of transactions will require a step-up.
Exceptions to SCA requirements
In a “card present” scenario, the convenience of contactless at point-of-sale would remain for low-value transactions (less than €50 and the UK limit is £30). Chip and PIN will also remain as the common practice in the European Economic Area when customers are present for values above €30.
Strong Customer Authentication exemptions
|Strong Customer Authentication exemptions for retailers|
|Contactless payments at POS||Article 11||50||Cumulative amount less than €150 or five consecutive payments|
|Trusted beneficiaries or recurring payments||Article 13||None||Series of payment transactions with same amount and same payee. Recipient on ‘white list’. Not for first payment|
|Low-value transactions||Article 15||30||Cumulative amount less than €150 or five consecutive payments|
|Transaction Risk Analysis (TRA)||Article 16||Various||Exemption Threshold Value (ETV) based on payment service provider’s fraud rate for remote card-based payments and credit transfers. Maximum ETV is €500|
|Secure corporate||Article 17||Payment Service Providers need to provide FCA with risk assessment and migitation measures for the corporate payment services to be exempted|
What happens if I ignore SCA?
The Financial Conduct Authority has said it will not prosecute companies for not already meeting Strong Customer Authentication requirements following the decision to extend the original September 2019 implementation deadline.
However, any firm which fails to comply with SCA after 14 March 2021, will find itself subjected to full FCA supervision and possible enforcement action as appropriate.
Potential business impact of SCA
Worryingly, 27 per cent of those shoppers who abandoned an online purchase in 2019 did so because they found the e-commerce process too complicated. Nearly 70 per cent of all online purchases ended up being abandoned. And that was before any new tier of Strong Customer Authentication requirements was implemented.
Although there are exemptions for certain types of transactions, retailers should brace themselves for reduced conversion rates for online shopping. European businesses stand to lose and estimated €57bn in year one after SCA implementation.
However, in India, similar legislation saw a sudden drop-off of 25 per cent across e-commerce transactions, which would equate to a potential economic loss of €150bn if it ravaged Europe’s €600bn online economy to the same extent.
Further reading on SCA
Strong Customer Authentication is making online payments more complicated – is your business ready?