The payments space is changing, and with that, so are the security regulations around it.
To remain hygienic throughout the pandemic, most stores will only accept contactless payment. This move comes on the back of payment habits in a pre-pandemic world. In 2019, there was an uptick in card payments, with many claiming that the UK were en-route to going cashless anyway. In 2020 because of Covid, cash payments also dropped by a further 40%.
To keep up with the growing stream of payments, security measures must be ramped up and will need to be of a high standard. This is where the European Banking Authority’s decision to roll out its Strong Customer Authentication (SCA) regulation comes in.
In September 2019, the Financial Conduct Authority decided to manage the implementation of Strong Customer Authentication during 2021. This is in direct opposition to other European countries that have already attempted to put the new regulation in place by the end of 2020.
SCA was designed to further reduce fraud and protect customers who shop online. With e-commerce expected to rise by 276.9% globally until 2023, and new payment methods on the horizon, it was important to make sure that the user's identity is protected when making transactions.
What exactly is Strong Customer Authentication (SCA)?
SCA was originally mandated by the Revised Directive on Payment Services. It means that merchants have to integrate a two-factor-authentication (2FA) solution into their transactions in order to authenticate payments.
The European Union (EU) is eager to fully implement the PSD2 Strong Customer Authentication (SCA) standards this year.
The initial thought behind the new legislation was to make the use of Open Banking for customers easier, and to help fintechs present the users with sleek and secure financial alternatives.
What exactly is going to change?
In the past, customers would pay using only their card number and their CVC verification code.
At the moment, card providers are using an authentication tool called 3D Secure 1. It works based on a code entered when doing an online payment. This is to make sure that the user really is who they say they are. With 3D Secure 2, SCA Information is being collected at the time and place of the transaction.
Now with the new PSD2 regulation which encompasses SCA, the customer will be required to provide further identification information.
SCA uses dynamic data to prove the authenticity of the user. Customers can now combine,
- ‘Something they know’ such as a password, pin, number series or secret question along with;
- ‘Something that they own’, such as a smartwatch, phone, smartcard, token or a badge;
- and on top of that, the user must add ‘something personal’ such as a fingerprint, face ID, voice imprint or DNA signature.
This is called multi-factor authentication.
With SCA and 3DS2, dynamic data points are used to confirm the identity of the user. Even though the number of authentication points is higher, the possibility of choice for the customers leads to a better authentication experience and fewer drop-offs from going through the payment process.
Are there any exceptions?
There are some exceptions for transactions that involve small amounts which carry a smaller risk. Plus, transactions that recur do not require more than one strong customer authentication action. If customers add companies to a whitelist of trusted payees, they can also pay those without having to go through 3D Secure verification and paying fees.
What will happen to the user experience with 3D Secure 1 now that we have SCA?
Thanks to Strong Customer Authentication, the clunky 3D Secure 1 will be optimised. Instead of generating passwords, the user can now authenticate simply with a smile or a fingerprint. 3DS2 uses APIs to exchange the authentication data with banks and integrate it into websites and applications seamlessly while also fulfilling the SCA requirements.
What are the downsides of SCA?
It could create frustration and cause delayed or abandoned transactions as more authentication steps are required to complete payments.
Many businesses are not ready for the SCA deadline or do not fully understand all the responsibilities. If they haven't implemented SCA in time, they will potentially face a decline in sales, as the customers will not be authenticated and won’t be able to transfer money.
Furthermore customers who rarely buy goods and services online and who are looking for an efficient customer experience might not like a huge authentication process. This could lead to disappointment and lack of motivation when facing the multiple authentication steps of SCA.
Our thoughts on SCA
At Fractal, we are glad that the implementation of SCA will reduce the risk of fraudulent payments. Over 3.4 million people are victims of fraud every year in the UK. As we move into the payments space, SCA is something we are considering through every step of our building process in-house. Although regulation is feared by some, we look forward to seeing how SCA will further improve the trust between customers and the fintechs handling their money.
To find out more on Fractal’s thoughts on SCA, please contact us at firstname.lastname@example.org.
We believe in having high standards of security which you can find out more about at our Security Page. As Fractal steps into the payments space with our own QR payments app, we would love to invite early testers (small businesses) who are keen to pay fewer, lower fees, and receive instant settlement in their bank to sign up to our waiting list to test the app.
To find out about our SMART initiative helping sole traders and small businesses, our partnership with untied following our BCR Capability and Innovation Pool E win, or if you are interested in partnering with us to create new SME-focused solutions using our APIs, you can contact us our Commercial Lead, Louis, at email@example.com.
About Fractal: Fractal is a platform-as-a-service that is reinventing how Small-Medium-Enterprises (SMEs) execute payments and access financial services.
Fractal helps financial institutions (FI) and their SME clients save money by providing a smarter payments engine and an insights platform to deliver the right product, to the right SME, at the right time.