One of the key points of PSD2 is the new authentication protocol that it establishes for online payment services. This protocol is known as Strong Customer Authentication or SCA, and it introduces a series of new authentication requirements with the goal of increasing the security of online payment services.
To get a better understanding of SCA, we spoke with Marc Nieto Fradera. Marc is an economist and MBA by Georgetown University and ESADE, and the CEO and co-founder of MPServices, a consultancy that specializes in fraud prevention and management for e-commerce companies. Marc is also the designated expert on Payment and Fraud by aDigital, the Spanish Association of the Digital Economy, and a member of the European Payments Council.
In general terms, what is Strong Customer Authentication?
When the Second Payment Directive was created, several objectives related to the online and offline payments ecosystem were defined. One of the priorities was to increase the trust of users and consumers in the strength and security of online payments. Strong Customer Authentication was created to offer users a framework of guarantees for payment services.
SCA is a two-step (also known as two-factor) authentication system that under PSD2 is mandatory for processes in which users access their account online, initiate an electronic payment transaction, or make a remote transaction that presents a risk of fraud.
The protocol establishes that authentication must be carried out with two different factors out of a potential three, with those three being possession, knowledge, and inherence. In this context, possession represents something the user owns, such as their phone, knowledge represents something they know, such as a password, and inherence represents something intrinsic, such as a retinal scan or fingerprint.
Therefore, SCA represents a more robust (and complex) authentication process that adds another level of security to Europe’s payments ecosystem.
What is the origin of the protocol and why is becoming relevant now?
The protocol’s details are defined by the Regulatory Technical Standards that have been set by the European Banking Authority (EBA) over the last few years. The EBA is responsible for determining what technologies, factors, and processes are regulatory-compliant.
It has become especially important over the last few months these months because the date for its theoretical implementation is September 14, 2019, right after everyone returns from summer vacation. However, many of the different stakeholders in the value chain are not ready yet, so they are articulating a practical moratorium that will delay the implementation of SCA beyond September 14.
How does SCA fit into PSD2?
The objective of Strong Customer Authentication is to provide an additional layer of security to online transactions. It provides greater robustness to account access and online payments and makes fraud and identity theft more difficult.
For example, fraud in online sales in Spain currently stands at 0.2% of the market’s total, but with the implementation of the SCA there are estimates that it can be reduced to one-tenth of its current value.
However, there is also a fear that the increase in security will negatively impact user experience and therefore reduce conversion rates for online businesses, driving down sales.
Authentication requirements under PSD2 are still being decided by regulators, what are the most important friction points?
There’s been a lot of controversy around authentication factors. The EBA has put out many opinions and responses to the different market stakeholders to clarify concepts. The last one came out in June, very late when the SCA is supposed to come into effect in September.
Regarding the EBA’s opinions, a certain decision has been especially critical in the need to implement the moratorium we mentioned earlier. According to the EBA, credit/debit card data doesn’t count as an authentication factor. That is, the card number, expiration date and CVV don’t count towards the possession or knowledge factors and therefore can’t be used by the user to access services.
Most banks were hoping to authenticate users using the card data and a One Time Password (OTP), but according to the EBA this is insufficient, which means that stakeholders now need to develop alternatives.
What are the biggest changes companies will need to make to accommodate SCA?
My recommendation would be to make an effort to stay on top of things. Try to get information from PSPs, acquirers and relevant associations from each market sector.
It’s possible that a Europe-wide 18-month moratorium is applied, but the specifics such as timing, metrics that will be used, and other details still haven’t been determined. Right now there are a lot of uncertainties, which means we are in for a few months that may be somewhat unstable.
If there is a moratorium, how will it affect the rollout of PSD2 and the different players in the market?
From an e-commerce perspective, I honestly think there’s no alternative to having a moratorium. Not doing so would mean going back two years in terms of turnover. However, this situation obviously gives extra time to those operators (acquirers, issuers, shops that were not prepared) and possibly gives enough time for players to be located. It is not so much about “being prepared” in the general sense, but more about “how am I prepared.”
Strong Customer Authentication can be a catalyst that helps businesses difference themselves in the market. Operators that provide more value by taking advantage of the opportunities offered by SCA will have an advantage over those that will be dedicated to simply managing transactions. In the issuance market there are opportunities in the management of exceptions in RBA, in the acquisition, in how fraud is managed and therefore in the level of TRA it can offer, the PSP in routing in maximizing opportunities for merchants. I believe that it is an opportunity for those operators who are looking to add value.