Mark Collins, Managing Director for TNS’ Payments Business in EMEA, explains how to set a clear roadmap to success when it comes to Strong Customer Authentication
When the European Banking Authority (EBA) published its Opinion on the requirements of Strong Customer Authentication (SCA) under the revised Payment Services Directive (PSD2), it highlighted the concerns about the readiness of the industry to comply with SCA. As such, the EBA allowed the National Competent Authorities (NCA) in each EU member state to give an extension of time to implement SCA and delay any enforcement action from non-compliance after September 2019. Many retailers and industry participants undoubtedly let out a sigh of relief.
Mark Collins, Managing Director for TNS’ Payments Business in EMEA, agrees this was a critical intervention by the EBA, which gave necessary guidance to the NCAs in each EU country. Mark highlights that readers of The Paypers who have not yet taken steps to comply with SCA need to make use of this important availability of extra time to learn how their NCA has decided to approach enforcement of SCA and develop an appropriate SCA implementation plan.
There’s so much written about SCA requirements under PSD2, every newsletter to hit your inbox contains some new industry perspective on the effects this could have on the industry so it’s not surprising that some of us are confused. The danger is that this confusion could lead to inaction.
Understanding where we are now
While I am not a lawyer, I can appreciate the well-meant intention behind mandating a comprehensive approach to SCA methods to ensure that we once again have uniformity of authenticity for every electronic payment. Plus, with the increase in fraud over the last decade, the European Commission is striving to enforce more stringent authentication measures in the form of PSD2.
In today's marketplace, we have embraced variations of presenting a payment, like chip and PIN, PINLESS, NFC and Card-on-File, for example. While these have allowed us to capitalise on shifting technologies and consumer expectations, these have introduced complexity and made it harder to have uniform authentication. SCA requirements will push the industry across Europe to level the playing field and enhance competition for every payment tender. For card-not-present commerce, it will pose the hardest change, because out-of-band authentication will be necessary, which will likely add costs. The best part of advancing more secure commerce is that SCA is making PSPs modernise their systems and closing a critical gap in situational awareness.
What challenges must be overcome?
I believe the main challenges and hurdles can be categorised into three areas - complexity, cost, and consumer experience.
Businesses need to evaluate whether any out-of-band authentication they deploy creates latency in the sale of goods or services, thus impacting the consumer experience.
It is key that secure communication systems for authorisation, and the new one needed to deliver the authentication step, are separated on dedicated paths away from other LAN/WAN traffic; otherwise merchants may be affected by network congestion.
The biggest potential issue that we all want to avoid is SCA having a detrimental effect on instore queue times or increasing cart abandonment rates online.
Construct a strategic plan
Choosing the right PSP is going to be critical. Begin by asking your current provider what they are doing for SCA. Merchants are too busy serving consumers to be swapping technology every time a regulator or payment scheme come up with a new mouse trap, so it is important to be aware of what your PSP has to offer and how it can either protect you or qualify you for one of the many exemptions.
Work with your provider and align on a roadmap that increases authentication measurably. At TNS, we have an experienced team that can help you prepare for SCA with a solution that will be usable across multiple payment gateways.
Explore 3-D Secure
In line with introducing SCA measures, merchants should take note of EMVCo’s drive to update its 3-D Secure (3DS) technology. Cart abandonment rates were high when it was originally introduced as it made the checkout process more complex. Recent versions of 3DS promise a more frictionless shopping experience across a range of devices while fighting fraud. In addition, the EBA opinion did confirm that the use of 3DS version 2.0 and newer would support the two-factor authentication process to meet the SCA requirements of PSD2.
Prepare for SCA now to stay one step ahead
Be aware that any change, which varies by country, allows more time to better prepare, it also gives more runway for fraudsters to exploit vulnerabilities in electronic and digital payments. I urge all merchants and industry stakeholders who are affected by the SCA mandate and have not yet developed a plan to address this, to take the necessary measures now, and to ensure that they have a failsafe SCA roadmap in place before time runs out.
This article and the information contain herein are provided for general information purposes only and are not intended to constitute legal advice. If you are affected by these issues and have questions, TNS recommends you take appropriate legal advice and such advice should be taken into consideration before acting.
About Mark Collins
Mark Collins is Managing Director of TNS’ FinTech Solutions business in Europe, which includes offices in the UK, Ireland, France, Spain, Italy, and Germany. Mark drives all sales and business activity in his region, and is part of TNS’ leadership team, which is responsible for setting TNS’ strategic direction and implementing its vision.
About Transaction Network Services
Transaction Network Services (TNS) has been a trusted provider to the payments industry for over 25 years. TNS’ broad portfolio of solutions includes secure and resilient transaction delivery services, used by many of the top banks, transaction processors, and ATM deployers around the world.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now