Readiness for Strong Customer Authentication (SCA)

Without a smooth and successful implementation by the industry, there is significant risk that Strong Customer Authentication (SCA) will lead to disruption and to an adverse impact on consumer confidence in retail payments.

Many businesses lack awareness of the changes that SCA will bring to payment processes, and the absence of a UK-wide consumer communications plan, such as the one that supported the roll-out of chip-and-pin in 2006, is cause for concern. So far, merchants have been advised to discuss SCA readiness with their acquirers and bank equipment manufacturers and to have a version of 3D Secure in place for online transactions, but further, more detailed communication, is lacking. Any communications plan has been stalled by a lack of clarity and consistency emanating from UK payment system providers on the technical infrastructural upgrades required, the application of SCA exemptions for certain transactions, and the detail of how important solutions like 3D Secure will be employed. Merchants have worked in partnership with UK Finance, card schemes, and other payment service providers to resolve the many outstanding issues; however, progress has been slow.

The approaching cliff edge

Most online purchases in the UK are made by credit or debit cards. Following the 14th September deadline, it is unlikely that a business will be able to receive payment for goods or services by card without a version of 3D Secure (i.e. Verified by Visa, Mastercard SecureCode, AmEx Safekey). And, since it’s not an overnight solution, merchants will need to plan and prepare well ahead of the September deadline to continue operating.

All online trading businesses must understand that they are likely to need 3D Secure, and all businesses and consumers need to know how to use it. However, public information remains limited on 3D Secure, how it works, and what to do if or when it doesn’t work. For example, what information will customers receive to complete a payment with 3D Secure? How will it be delivered? What is the risk of it being intercepted and what steps can be taken to prevent it? What are the functions and requirements of each version of 3D Secure across important factors like speed, conversion, or exemptions? Can customers choose what information they receive and how they receive it? Are there defaults in place for when things go wrong (for example, technical or accessibility issues)? What options are open to businesses in the case of system failures depending on where those system failures lie? Similarly, what protocols are in place to ensure operational resilience? Are any of these being applied consistently by payment system providers? How will all this be communicated to businesses and consumers?

Exemptions

Exemptions could apply to certain types of transactions, removing the need for SCA. However, further clarification is required today on how each of these will be applied:

Transaction Risk Analysis (TRA) involves a series of behind the scenes measures to check that customers are who they say they are, measures that could replace SCA in some situations. Whilst several payment service providers have given advice, it is card issuers that ultimately decide to ‘step-up’ a transaction for SCA, and it has been very unclear whether this will be applied consistently across payment service providers;

 ‘Whitelisting’ is a tool that customers could use to register merchants as trusted beneficiaries, but it is very unclear how this process will work and whether this will be applied consistently across payment service providers. In any case, it has been suggested that this exemption can only be applied whereby businesses have a specific version of 3D Secure;

Merchant Initiated Transactions (MITs) are not subject to SCA after the first transaction, yet it has been very unclear as to what constitutes an MIT and whether this will be applied consistently across payment service providers.

Face-to-face transactions

The impact on face-to-face transactions is limited because contactless transactions (max. GBP 30) fall below the threshold to which SCA applies, whilst chip-and-pin and Higher Value Payments with a phone or wearable device are already SCA compliant; however, some older Pin Entry Devices (PEDs) may be affected. Merchants are yet to receive clear information from their acquirers or terminal providers on what changes they will be required to make to payment terminals, and what changes they may choose to make.

Costs

The additional cost of these solutions is a further concern for end-users of the payment system. The use of 3D Secure is likely to come at an additional cost to merchants, and there is a concern that confusion over SCA will enable acquirers to upsell inappropriate solutions. Excessive card fees and charges are ultimately paid for by the consumer in the cost of goods and services. Merchants have already provided Government and regulators in the UK and in Brussels with ample evidence of excessive card payment fees and charges prior to these new developments. Merchants and consumers are now looking to the EU for the regulation of all card fees and charges through the revision of the Interchange Fee Regulation (IFR).

Action needed

It would be a matter of utmost concern if full implementation of SCA were allowed to proceed on 14th September. We are calling on the FCA to deliver a managed roll-out of SCA in the UK involving a two-year enforcement moratorium, or non-active supervisory period, that provides the breathing space to ensure readiness across a range of metrics set out below. A review should then be carried-out three to six months prior to active enforcement, reporting progress against these readiness metrics and defining whether further time is needed. A managed rollout period will have no negative impact on security and avoid a situation in which the opportunity for fraud is increased by the confused scramble to meet the September deadline.

About Andrew Cregan

Andrew coordinates industry engagement with Government, regulators, and providers on matters relating to retail payments and consumer credit, and acts as a spokesperson for the industry. He has led the industry response to the IFR, PSD2 and domestic initiatives, including the Payments Strategy.

About British Retail Consortium

The BRC campaigns for the retail industry and is the authoritative voice of retail, recognised for powerful campaigning and influence within Government and as a provider of in-depth retail information. The BRC leads the industry and works with their members to tell the story of retail, shape debates, and influence issues and opportunities which will help make that positive difference.

This editorial was first published in our Payment Methods Report 2019 – Innovations in the Way We Pay, which provides a comprehensive overview of the up-to-the-minute trends, updates, and innovations in the payments space worldwide, depicting the key developments in the way people pay.