Strong Customer Authentication: where are we now?

The ‘final’ deadline for the introduction of Strong Customer Authentication (SCA) is no longer quite so final – the EBA’s recent Opinion gives discretion to national regulators as to whether to apply it or not, and most – although not all – have accepted the opportunity with alacrity. The reason for the delay is simple – the card payments industry is not ready and the impact on online commerce on September the 14th would have been catastrophic.

Before we move on we should perhaps take a moment to reflect on how we got to this point, eighteen months after the SCA deadline was set and nearly three years since PSD2 was set in stone. The aspiration behind SCA is entirely valid – the introduction of chip and PIN in face to face commerce dramatically reduced fraud in face to face commerce – and chip and PIN is SCA, in that context. The result of this success was largely predictable – the fraudsters migrated first to countries that were slow to adopt and then to ecommerce where the chip can’t be used to perform authentication and online fraud has exploded as a result.

The card industry’s response to this has been weak – 3D Secure is the only real solution and its initial implementations were poor such that many merchants opted out, preferring to take liability in order to avoid large scale transaction abandonment. Only now, with the introduction of 3D Secure version 2 is the technology beginning to provide adequate support for online customer authentication. PSD2 blocks the option or merchants taking liability – merchants can no longer avoid SCA but such has been the confusion over this that as recently as July we were being told by lawyers that this interpretation was incorrect. The Opinion definitively establishes the end of merchant liability as an SCA opt-out.

Given this confusion, it is perhaps not surprising that preparation for SCA in ecommerce has been patchy. The EBA regulates banks but in card payments we have a four-party model – issuers (banks), acquirers (banks), merchants (not banks) and consumers (not banks). Although, by and large, most issuers and acquirers are ready to at least a minimal level no one has taken responsibility for communicating effectively with merchants and consumers. The predictable result is that consumers are confused and merchants are not ready. The enforced introduction of SCA on 14th September would have resulted in a cliff-edge collapse in ecommerce across Europe, and the belated decision to delay this is a relief, albeit rather late in the day.

The question is – what should happen next? The EBA has partially addressed the issue by giving banks the responsibility to communicate with consumers and merchants and to create communication plans to do so which will be overseen by regulators. This will help but is only part of the solution. Beyond this, the bigger issue is the lack of standardisation of SCA.

To understand this let’s take an analogy. Imagine that SCA in face to face commerce had been mandated on banks, but no technological solution was provided. Instead of chip and PIN each bank created its own solution such that every time a consumer approached a PoS device the authentication method they used would be dependent on which bank they chose to interact with. Can we imagine the confusion on adoption day? But this is, in essence, the experience that has been regulated into existence with PSD2 in on-line commerce. The problem is even worse for third-parties trying to build a business using the PSD2 APIs – because in the middle of their smooth, optimised customer journey their customers are redirected to a bank SCA experience which can vary dramatically in terms of friction and user experience.

To solve this the regulators need to take a step back, temporarily drop anti-competition laws and insist that banks come up with a minimum standard for SCA in online commerce, such that consumers know what to expect and third-parties aren’t disadvantaged by variable SCA experiences. Once this SCA Minimal Viable Product is in place then banks should be free to compete on more complex, sophisticated, frictionless and advantageous forms of customer authentication. We see huge opportunities in mobile-based authenticators and behavioural biometrics. But without a baseline for SCA for customers both with and without access to smartphones the entire SCA edifice is built on sand which is likely to severely disadvantage people who already struggle to access financial services.

To be clear – we think SCA is a good idea, in principle. But so far its implementation has been dogged by a lack of understanding of how the payment industry actually works. The existing card payments networks are a modern Wonder of the World – but they’re built on technical standards and proper governance, not regulations. To make SCA work we need to take a step back – but it is far better that we do that than risk the entire concept through a badly managed implementation process.

About Tim Richards

Tim manages Consult Hyperion’s digital payments practice where he has specific responsibility for digital payments, open banking and tokenisation projects. He has worked on PSD2 and open banking projects for issuers, acquirers, international payments schemes, fraud solution providers and fintech companies and was specified tokenisation solutions for major industry players. Tim has 30 years’ experience in secure processing systems having worked in the payments, transit and digital identity sectors on solutions as diverse as transit ticketing key management, HCE and mobile payments, ICAO e-passports and travel cards, remote management of multi-application smart cards and, of course, EMV.

About Consult Hyperion

Consult Hyperion is an independent strategic and technical consultancy, based in the UK and US, specialising in secure electronic transactions. We help organisations around the world exploit new technologies to secure electronic payments and identity transaction services. From mobile payments and chip & PIN, to contactless ticketing and smart identity cards, we deliver value to our clients by supporting them in delivering their strategy. We define, develop, design and deliver.