UK businesses at risk due to PSD2 security standard myths re-emerging
I have been on a bit of a roll this week when it comes to the security around PSD2. The announcement that the FCA was given permission to give extensions to companies implementing Strong Customer Authentication (SCA) was a gentle reminder to me that a major deadline was close.
I have also blogged this week about how human behaviour could provide weak links in security as a result of PSD2, and received a guest blog about how banks are falling short on open banking security.
Here is another opinion article. Here Paul Adams, director of acquiring at Barclaycard Payment Solutions, shares his thoughts on meeting the SCA standard and gives detailed advice to companies that will have to meet the standard.
SCA: Setting the record straight and making the most of the new payments regulation
By Paul Adams,
Ever since Strong Customer Authentication (SCA) was first announced as part of PSD2 in 2015, we have seen a number of myths and inaccuracies floating around the industry. While general awareness and understanding has certainly improved over the past four years, the recent opinion published by the European Banking Authority (EBA), which gave the FCA, CBOI, and their European counterparts more flexibility to grant SCA deadline extensions, has resulted in a resurgence of some of these myths, some of which are placing UK businesses at risk.
Businesses understand the impending changes – not only around how and when to prepare for the transition deadlines, but also how to think about SCA differently, in order to turn it into a strategic advantage.
Be the Ant, not the Grasshopper: The SCA deadline is still September 14
The most dangerous myth we’re seeing at the moment is that some businesses have taken the EBA’s announcement as an excuse to take their foot off the gas when it comes to complying with the new legislation, in anticipation of a deadline extension.
In reality, while the EBA’s announcement does give the FCA and CBOI more flexibility to grant deadline extensions in the UK and Ireland, right now the compliance deadline of 14 September has not changed. What’s more, if the FCA and CBOI do decide to extend the deadline for certain SCA activities, they will need to set out clear compliance roadmaps, and we expect 3-D secure version 2 (3DS2) to be one of the first milestones for which businesses are held accountable.
Therefore, any businesses pushing compliance down their list of priorities could be lulling themselves into a false sense of security.
It is of the utmost importance that businesses continue to push towards preparing themselves for SCA, in particular by embedding 3DS2 into their payment journeys, in order to avoid a situation where they have too much to do, in too little time. If they don’t comply in time, there’s a very real risk that they could start seeing their customers’ transactions automatically declined.
Is this the end of One Time Passcodes (OTPs)?
Prior to the EBA’s announcement, many issuers had been planning to send One Time Passcodes (OTPs) via SMS to customers going through SCA. With SCA requiring consumers two provide two out of three of ‘something they know’, ‘something they have’, and ‘something they are’, it was generally thought that OTPs would qualify as ‘something they know’, which could then be used in conjunction with a ‘something they have’, such as credit card details, to pass through SCA successfully.
However, the EBA announcement also made it clear that OTPs would qualify as a possession factor, rather than a knowledge factor, which means that OTPs and credit card details now fall under the same category. As a result, those two methods can no longer be used in isolation in order to pass SCA.
This has had a major impact on the banks / issuers who had been hoping to offer OTP as one of their authentication methods. Those providers now need to review their remaining authentication journeys to make sure that they are still able to provide their entire customer base with a compliant solution. If the removal of OTP leaves a gap for certain customers, they may need to build and promote another method, e.g. biometrics.
The knock-on impact this could have on merchants is that if an issuer hasn’t properly promoted their compliant SCA solution, or hasn’t designed a slick authentication journey, merchants could see an increase in that issuer’s customers abandoning their baskets.
However, that doesn’t mean that OTPs will disappear overnight – they do still have value in keeping fraud low. For now, we expect many issuers to continue using OTPs at a possession factor, at least until consumers are more comfortable with newer and better authentication methods.
New complexities for multi-national businesses
Before the recent EBA announcement, all merchants, issuers and acquirers were working towards the same, pan-European compliance date – September 14. However, the EBA’s recent announcement means that the FCA, CBOI and each of their European counterparts have the flexibility to impose their own compliance deadlines and country-specific exceptions. While that might seem to make sense at an in-country level, this has the potential to cause quite a lot of confusion.
For merchants operating in more than one country, things could get complicated quickly, because they could be subject to multiple overlapping deadlines. At Barclaycard, we believe that a harmonised, pan-European approach would benefit both merchants and consumers, and we will continue to advocate for that with the help of key industry stakeholders and regulators.
Having said that, the best thing that merchants can do to minimise any cross-European complexity will be to keep working towards becoming SCA compliant ahead of September 14.
Challenging the customer experience myth
Alongside misconceptions around the implementation deadline, we have also seen concerns that SCA will have a detrimental impact on business revenue.
First of all, it’s important to note that these concerns are not entirely unfounded – while the primary purpose of SCA remains to tackle cybercrime, SCA will introduce friction into the shopper journey, and this friction could lead to an increase in basket abandonment, resulting in a decline in sales.
However, a lot of that fear stems from people’s personal experiences with the current 3-D secure authentication technology, known as 3DS1. While innovative when it first launched, by today’s standards 3DS1 has started to feel clunky, and its use of pop-up windows might seem suspicious to those who equate pop-ups with spam and phishing. It’s fair to say that 3DS1 has been rendered obsolete by the technology changes and security risks that brought about strong customer authentication in the first place.
As a result, the prospect of more customers being asked to authenticate themselves could understandably be alarming. However, the good news is that are two reasons why businesses don’t need to panic.
The first is that the payments industry has designed a new iteration of 3-D secure, known as 3DS2, and this newer version uses much more advanced infrastructure, and is far more dynamic and streamlined than its predecessor. This should mean that the 3DS2 authentication experience will be much smoother than with 3DS1, meaning that customers won’t feel as much of a break in the payment journey.
The second reason is that there are proactive steps that businesses can take to reduce the volume of their customers’ transactions that require full authentication, thereby taking away that additional friction.
That’s because, under SCA, certain types of transactions are exempt from full authentication, as long as certain criteria are met. Examples of exemptions include low value transactions, low risk transactions and transactions with merchants that the consumer has ‘white-listed’ with their credit card issuer / bank.
Businesses hoping to turn SCA into a strategic advantage should maximise and optimise their use of these exemptions, and in order to do that they should consider partnering with a trusted payments services provider to apply those exemptions on their behalf, once SCA comes into force.
Preparing your business for SCA success
As we approach the September deadline, it’s time to rethink SCA and re-evaluate the fears surrounding the new system. If solutions are implemented promptly and correctly, both consumers and businesses should see significant benefits.
Our advice to clients is to keep working towards embedding the new 3DS2 authentication technology into their payment journeys, and to speak to their payment acceptance / gateway provider if they have any questions. In addition, retailers should already be thinking about how to maximise their use of SCA exemptions, in order to minimise customer friction.