Back in summer 2019, the payments and ecommerce industries won a last-minute reprieve from UK regulators over the introduction of Strong Customer Authentication (SCA) -- getting an 18-month extension just four weeks from a planned deadline for its introduction. (SCA is effectively multi-factor authentication for the majority of online transactions over €30.) Not everyone was happy at industry's lack of readiness: The European Banking Authority (EBA) growled at the time that “sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in 2015, which gave clear indications that existing authentication approaches would need to be phased out.”
Today (March 14, 2022), the prevarication is over and SCA is mandatory, although the Financial Conduct Authority (FCA) added some exemptions in early 2021, for example that customers "do not need to reauthenticate every 90 days when accessing account information through an AISP" (Account Information Service Provider); an organisation authorised to retrieve account data provided by banks and financial institutions. The FCA has promoted early enforcement by issuers throughout February, which reportedly resulted in as much as 75% of payment traffic receiving a soft decline and being sent to 3DS (3d-Secure) for further authentication checks. Both merchants and payments providers will be looking at the impact closely in coming weeks...
All non-compliant transactions meanwhile will be declined from today. Merchants should be looking to make sure that they can support 3DS2; an authentication protocol that's a notable upgrade on the more ubiquitous 3DS1, which adds improved mobile authentication experiences, and collects more data for issuers.
Rene Hendriske of digital identity verification company Mitek was among those welcoming the belated Strong Customer Authentication introduciton, saying: "The convenience of open banking has a dark side: fraud is placing significant strain on the UK economy. Research suggests that the UK lost £2.5 billion in fraud and cyber-crime cases during 2021. SCA has forced banks to introduce new ways to fight fraud – from more complex logins for online and mobile banking, to regular identity checks. This all provides a greater safety layer against online fraud." (It's no panacea though and will not fix rampant push payment fraud. As The Stack reported last week, Lloyds for example is now treating the latter as an operational expense rather than an impairment.)
For ecommerce providers, the sheer heterogeneity of payments now (Paypal, Google Pay, Apple, Amazon Pay, Klarna, et al) means they need to be more flexible than ever) and ensuring friction-free transactions is a growing priority. As Galit Shani-Michel, VP Payments at Forter has noted: "The best performing merchants are those that realize that payments are no longer just a technical function, but an important revenue and profitability driver... [that] can help them drive additional profitability from well-designed, well-managed payment flows."
Maria Palmieri, Head of Public Policy at Yapily expects SCA to boost a rise in open banking-powered payments, noting: “As the card payment experience becomes more cumbersome, we can expect to see rising demand for alternative, one-click payment methods at the same time. Instant transfers made directly from one bank account to another via open banking, for example, are reducing the potential of card fraud as well as lengthy settlement times for the merchant. The direction of travel is clear; the new SCA rules are the latest indication of a growing shift in momentum away from cards towards more innovative, slicker payments processes."