Strong Customer Authentication (SCA) is a scant three months away. Will the EU be ready?

HourglassChances are it won’t come as much of a shock that the middle of September is about nine weeks away. Most years, that’s the usual interval between the middle of July and the middle of September. But this year, something promises to make the middle of September a little different: On the 14th, Strong Customer Authentication (SCA) becomes law in the European Union.

Of course, I’m writing from across the pond, where SCA doesn’t apply. But it’s worth following, even from afar. As the U.S. Congress steps up scrutiny of digital banking, it’s possible that they will watch the EU and draw inspiration from it.

In brief, SCA mandates two-party authentication for most card-not-present (CNP) e-commerce purchases. Finextra offers this description

SCA will require an extra layer of authentication for online payments. Where a card number and address once sufficed, customers will now be required to include at least two of the following three factors to do anything as simple as order a taxi or pay for a music streaming service. Something they know (like a password or PIN), something they own (like a token or smartphone), and something they are (like a fingerprint or biometric facial features).

The technology puts banks in the middle of the transaction and makes them responsible for the authentication. Not surprisingly, then, should a purchaser not satisfy two of the three requirements, a bank’s only course will be to reject the payment. Should that happen on a legit transaction, you can bet the bank will have on its hands an angry, frustrated customer who blames the bank.

Finextra continues:

The new rules are designed to protect European consumers from billions of euros in attempted online fraud … the European Central Bank now estimates around €1.3 billion in online fraud on European cards each year.

In the interest of not descending into the silly and annoying, there are instances in which SCA requirements are waived. These include transactions for less than a designated threshold, monthly subscriptions, business-to-business transactions, and transactions with businesses the accountholder has “white listed,” to name a few.

SCA is part of PSD2, short for Version 2 of the Payments Services Directive, which went into effect in January 2008. Nine years earlier, PSD1 standardized payments throughout the EU. Most notably, PSD2 has established that accounts belong to accountholders, not the financial institution where they reside; and it allows accountholders to authorize third party access to their accounts and data, otherwise known as open banking.

Initially, Visa went on record as not being a fan of SCA. Visa’s concern, the U.K.’s The Register reported at the time, was “…that making customers jump through more hoops to complete online transactions will result in increased cart abandonment rates, which will likely impact retailers’ bottom line.” 

It wasn’t an irrational argument. Direct marketers have long known that completion rates decrease with every step added to a transaction. Notwithstanding, there will be no putting off SCA. Last month, the European Banking Authority made that quite clear, stating, “the EBA is legally not able to postpone an application date that is set out in EU law.”  

Which is a little scary, given that it appears that many financial institutions and merchants in the EU aren’t ready. PMNTS.com recently reported

… banks are still underprepared. While banks continue to open their application programming interfaces (APIs) to third-party providers and FinTech firms, many are still in the dark when it comes to SCA. Merchant partners are also scrambling, with just 40 percent of merchants within the EU currently stating they will be ready by September 2019.

If I’m not mistaken, that’s another way of stating that 60 percent of merchants in the EU are currently not stating that they will be ready by September.

In March, Bobs Guide had this to say:

As many as 25% of Europe’s online merchants are unaware of strong customer authentication (SCA) requirements, due to come into force in September under the continent’s revised Payment Services Directive (PSD2). Of those who are aware of the rules, only 40% feel they will be compliant by the deadline. Both statistics point to serious change in the payments industry, say market participants. 

Noncompliance is no small infraction. It could mean the forfeiture of a payment provider’s license. For merchants, going into SCA ill prepared—to return to Visa’s earlier point—can lead to cart abandonment, which can cause a significant drop in sales.

Amid concerns, Finextra sounded this hopeful note: 

It’s not the first time Europe pioneers new standards in payments that reconcile security and convenience. Consider how it rolled out EMV standards over a decade ago to make chip and pin more or less ubiquitous on the continent, while the US is still playing catch-up to this day even. 

Speaking as a yank, I wish to respond to that statement about the U.S. playing catch-up: Ouch.

Leave a Comment