Complying with Strong Customer Authentication (SCA) is proving to be more difficult than previously thought for providers of payment services across Europe. As the EU-mandated deadline for SCA implementation on September 14 looms, many financial institutions and third-party providers (TPPs) are still far away from meeting the regulation’s requirements. Failure by national regulators to extend the deadline could, many observers fear, mean calamity for online businesses.
Stipulated as part of the PSD2’s Regulatory Technical Standards established by the European Banking Authority (EBA), SCA is a two-factor security authentication protocol that has become a flashpoint issue concerning PSD2 implementation over the past months. The security protocol is seen as a foundational element to the future of Open Banking.
Under the protocol, which will be applicable to the majority of online transactions over €30 (£26.95), payment authentication must be established with two different factors out of a potential three. However, until recently, many banks and third-party providers incorrectly assumed that credit/debit card data — a kind of low-hanging fruit in the payment security world — would count as a factor. The EBA has since shot down those hopes.
Making a statement last June, the EBA cleared up any misinterpretations, announcing that credit/debit card data doesn’t count as an authentication factor for complying with SCA regulations. This has sent many of the EU’s banks and TPPs back to the drawing board to look for a replacement security factor.
“Most banks were hoping to authenticate users using card data and a One Time Password (OTP), but according to the EBA this is insufficient, which means that stakeholders now need to develop alternatives,” said Marc Nieto, CEO and co-founder of MPServices, a consultancy that specializes in fraud prevention and management for e-commerce companies.
The EBA’s June announcement came as a major setback for many who thought that they were on the path to hitting the SCA compliance deadline. These companies now have to revise their two-factor security authentication infrastructure, as well as the four possible configurations that these factors can be set into.
According to the EBA, there are three factors that SCA-compliant companies must adhere to: possession, knowledge, and inherence.
“In this context,” says Nieto, ”possession represents something the user owns, such as their phone; knowledge represents something they know, such as a password; and inherence represents something intrinsic, such as a retinal scan or fingerprint.”
The EBA recently acknowledged the complexity of these requirements, as well as how unprepared many players in the industry are, and the potential impact it could have on consumers. In its June review, the EBA stated that it would allow some firms, on an “exceptional basis,” to get an extension if cleared by national authorities.
Under the rationale of the EBA, demanding two-factor security authentication has become necessary due to the rising popularity of online shopping, which has coincided with skyrocketing rates of cybercrime. According to a recent study, a total of 150 million global e-commerce cyber attacks occurred during the first quarter of 2018, marking an 88-percent increase over the same period last year.
Yet, while online retailers remain incredibly exposed to losses associated with these cyberattacks, they are equally dismayed by the prospects of the advent of SCA. The added security authentication will greatly decrease the prevalence of cybercrime, with some estimates claiming a ten-fold reduction, but online retailers claim that the introduction of SCA standards will also negatively impact online shopping revenue.
This pushback is being heard from enterprises of all sizes. Giant e-commerce firms such as Amazon have warned that rushed implementation of SCA could result in dire consequences; some smaller firms report that they expect more than a quarter of payments to register failures under SCA. Furthermore, introducing SCA could also lead to ballooning costs that will greatly impact small firms, which will have to shoulder to costs to upgrade their security infrastructure.
A June report conducted by online payments provider Stripe forecasted that Europe stands to lose €57 billion of economic activity in the first 12 months after SCA takes effect. What’s more, Stripe also concludes that just 44 percent of businesses expect to be compliant with the new regulations by mid-September. (A lack of preparation that comes as little surprise to many.)
For the online shopper, the shopping experience could become a lot less smooth, resulting in poorer customer experience. Some analysts have uncovered that many EU-based online retailers are looking at employing overly complex security authentication processes — generating web-redirect flows with 17 steps. This could take user experiences to new lows, driving down conversion rates and impacting the bottom line of many online businesses.
An inevitable delay
With the specter of Brexit already causing significant economic anxiety across Europe, it’s important that a botched rollout of PSD2 and SCA doesn’t make the situation worse. In order to mitigate any further uncertainty in the market, some EU countries have begun to react, announcing that they will push back the SCA deadline, thus allowing for more time for businesses to find better payment authentication solutions.
In August, the Central Bank of Ireland ruled that it would be delaying the SCA implementation deadline, stating that it “recognizes the difficulties” of the deadline and would be drawing up a new timeline for its rollout.
This announcement was followed up quickly by the UK’s Financial Conduct Authority (FCA), which was already recommending to extend the SCA deadline. Shortly after, the regulator confirmed that there would be an 18-month delay, but only as long as firms can prove that “they have taken the necessary steps to comply with the [SCA] plan.”
Other relevant national financial regulators are looking at announcing this apparently inevitable extension. Germany’s Federal Financial Supervisory Authority, for example, said that “it is feared that on September 14, companies will not be able to use credit card payments,” and admitted that many companies in the EU’s largest economy are “not sufficiently” prepared for SCA to come into force.
The EPSM, a European payment services industry group, has called the upcoming deadline “a disaster for consumers and PSPs [payment service providers]” and warned of “significant market disruptions,” recommending that relevant bodies take immediate action to delay SCA implementation.
Furthermore, the payments group has gone a step further than the proposed 18-month delay. Petitioning for an extension of up to 36 months for companies that are involved in “challenging applications,” which includes services that operate in the travel and hospitality sector.
However, not all markets are equal in the race to standardize. Some EU countries have long been ahead of the curve when it comes to advanced security authentication, and demonstrate no fears when it comes to successfully rolling out the technical prerequisites of Open Banking.
In the Netherlands, companies are already “well-prepared,” said a spokesperson for Dutch regulator DNB Netherlands, who added that the Netherlands already introduced strong customer authentication in 2005.
Complying with the EPSM’s recommendations, French regulator Banque de France released a recent annual report stating that it has created a multi-step migration plan. Under this so-called Observatory for the Security of Payment Instruments plan, France aims to have the clear majority of companies SCA compliant by December 2020, with full migration expected to be completed by 2022.
At the time of writing, the Polish Financial Supervisory Authority and the Bank of Italy were in discussions preparing to make announcements in regard to the ECB’s June comments, while the Bank of Greece looks prepared to follow suit with the U.K.’s decision to issue an 18-month delay.
Keeping “on top of things”
Regardless of the country-specific conditions, it looks very unlikely that SCA will be put into full effect for the majority of Europe any time soon. If banks and TPPs are going to ever meet the requirements, they will need to upgrade their technological infrastructure and understanding, especially by utilizing new API-related tools and technologies.
“The guidance is very prescriptive for SCA,” said SCA expert Mike Lynch, Chief Strategy and Product Officer of Deep Labs, in an interview with Computer Business Review, “and in my opinion has been very clear, but it requires a deep understanding of technical and security components that could meet the requirements.”
It is also possible that the ECB backpedals somewhat, announcing a sweeping extension for all of Europe. “It’s possible that a Europe-wide, 18-month moratorium is applied, but the specifics such as timing, metrics that will be used, and other details still haven’t been determined,” observes Nieto. “Right now there are a lot of uncertainties, which means we are in for a few months that may be somewhat unstable,” he added.
He advises that all companies keep “on top of things” and go above and beyond to source information from payment service providers when needed.
One thing’s for sure: now that most organizations see the need for more complex security solutions – it’s time to get to work.