Voice of the Industry

European authorities guidance on the SCA enforcement moratorium speaks volumes

Friday 27 September 2019 08:31 CET | Editor: Melisande Mual | Voice of the industry

J. Bennett, Signifyd: Every day another competent authority is issuing its own guidance, at times conflicting with previous guidance issued by other countries' authorities

With the UK, France, Germany, Italy, and other banking authorities in Europe issuing their directives on the delay in enforcing the rigorous customer authentication standards required by PSD2, it’s safe to say that the picture of life under the new regulations has become anything but clearer. The UK’s Financial Conduct Authority (FCA) laid out an 18-month ‘managed rollout’, which at least offered a concrete timeline, unlike the unspecified enforcement extensions from Germany, Spain, and Italy. Most importantly, the European Commission and the European Banking Authority have both remained quiet on the terms of an enforcement delay.

In the end, the directives are important — for what they say literally, but even more so for what they say about the state of SCA efforts in the European Economic Area:

This is not a call for merchants to relax. It is a call to act fast — at least on the timetable for the banking sector — or face regulatory action and fines;

Order verification through 3SD2 alone is not an acceptable answer to PSD2’s strong customer authentication requirements;

Getting SCA right is about fraud but more importantly, it is about building great customer experiences and ensuring that all consumers can shop online.

The new regulation: a challenge or an opportunity?

The PDS2 regulations became effective on 14 September, as originally planned; however, a significant number of retailers and banks were not ready to comply. The FCA indicated that businesses that do not make a sufficient effort to meet the requirements could still face penalties during the enforcement delay.

As for 3DS2 on its own as a solution, it has an important role to play in providing SCA without adding checkout friction, but as the European Banking Authority declared in June, 3DS2 alone is not sufficient to meet the SCA requirements.

For a time, there was a wide misperception that the 3DS2 protocol on its own was the way to go. It was never seen as a particularly good solution, as 3-D Secure version 1 was known for killing conversion — causing a 45% decline in conversion in the US, for instance. Still, other retailers have been searching for a silver bullet among the list of exemptions laid out in the SCA regulation. But the exemptions are only sometimes applicable for some small value carts and are actually dependent on unrealistically low fraud rates for both the acquiring and issuing banks, neither of which are in control of the retailer.

And perhaps most importantly, directive after directive has made it clear that consumers are at the center of the authorities’ concern. Add to their voices, the statement by the European Consumer Organisation that given consumers’ vulnerability to fraud, this is no time to delay. It is almost trite to say that retailers need to keep consumers at the center of everything they do. But it is certainly true in the case of implementing SCA. A number of studies have pointed out the decline in conversions that strong authentication can cause. Stripe, Worldpay, Amazon, and others have warned that under current conditions, the introduction of SCA will be accompanied by billions of dollars in losses.

On the other end of those failed transactions are customers attempting to make purchases and failing, either because their retailer is not prepared or they are unable to receive a confirmation text or comply with another element of the authentication process.

Many SCA questions remain unanswered

Paul Rogers, chairman and founder of Vendorcom, has been closely following the move toward SCA for years. He says there is plenty of work to be done and plenty of ambiguity to be overcome. Substantial uncertainty remains — including just when many European merchants need to be compliant. And despite its embrace of a managed rollout, there is uncertainty attached to the UK’s authority, given that it may crash out of the European Union a month after PSD2 goes into effect. PSD2 and SCA will apply to British merchants whether they are in the EU or not, but it will be hard for the UK to lead on PSD2 from the outside.

The new rules have been a source of stress for many retailers and something of a surprise to others, who hadn’t come to grips with the way payments and commerce would change under the new regulations and the impact on business. The stress comes from the fact that retailers widely assumed SCA would add friction to the buying experience and cause a dramatic drop in conversions. And, of course, it calmed no one’s nerves to know that ecommerce businesses that aren’t prepared to conduct SCA won’t be able to transact the overwhelming majority of their online business once enforcement is in place.

A Mastercard survey published just six months before PSD2’s effective date found that only 25% of online merchants in Europe had even heard of SCA. And 24% said they had no plans to implement SCA.

Where do we go from here with PSD2?

Successful SCA in the era of PSD2 will likely involve a holistic approach — taking ownership of SCA and viewing it as a path to a better customer experience. A machine-learning-based solution that provides dynamic fraud analysis for online retailers allows for nearly instantaneous SCA review and accurate decisions based on the significantly more data processed by the system’s learning machines, as opposed to passing that data all the way down to the issuing banks and back.

The only certainty is that enforcement of SCA is coming and that those retailers who get there first are going to have a competitive advantage.

About J.Bennett

vspace=2J.Bennett, Signifyd’s vice president, operations and corporate development, is leading the company’s strategy to provide merchants with a seamless approach to conducting the strong customer authentication required by PSD2.



About Signifyd

vspace=2Signifyd empowers fearless commerce by providing an end-to-end commerce protection platform. Powered by the Signifyd Commerce Network, its advanced machine learning engine protects merchants from fraud, consumer abuse, and revenue loss caused by friction in the buying experience. Signifyd counts among its customers a number of Fortune 1000 and Internet Retailer Top 500 retailers. Signifyd is headquartered in San Jose, CA., with locations in Denver, New York, Belfast, and London.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: J. Bennett, Signifyd, PSD2, FCA, 3SD2, fraud, SCA, authentication, merchants, regulations, banks, retailers, ecommerce
Categories: Securing Transactions | Digital Identity, Security & Online Fraud
Countries: World
This article is part of category

Securing Transactions