Late last month, an extension was granted for PSPs to comply with the new rules around authenticating customers online transactions. However, with fraudulent transactions on the rise, many banks are continued with their planned September roll-out. Find out what this delay means and how Strong Customer Authentication (SCA) aims to increase customer protection.
Fraud poses a major threat across the UK with £1.2 billion stolen through fraud and scams in 2018. Despite the Dedicated Card and Payment Crime Unit, a specialist police unit, preventing an additional £94.5 million of fraud in 2018, more proactive approach is required to successfully tackle these crimes (Source: UK Finance). In 2015 the EU Payments Services Directive (PSD2) was introduced to regulate payment services and payment service providers (PSPs). PSD2 aims to reduce the risk of electronic transaction fraud and to enhance the protection of customers data. This will be achieved through strong customer authentication (SCA) which requires all electronic transactions to identify the customer through two or more independent elements (Source: European Payments Council). PSPs are faced with the challenge of rolling out these SCA measures, whilst not impacting customer experience, by 14th September 2019. However, due to the complexity of this task, the European Banking Authority (EBA) has acknowledged that this deadline for CSA is unattainable and an extension has been granted. With this extension, it is now possible to step back and look at the task at hand, exploring why this delay has occurred, what this means for the future of the payments market, and how SCA can be successfully rolled out to combat fraud.
PSD2 & Strong Customer Authentication
Following the introduction of the Payment Services Directive (PSD) in 2005, the need for further regulation was recognised and in 2007 the revised Payment Services Directive (PSD2) was created. The European Payments Council defines the objectives of the PSD2 as fourfold:
- Make payments safer
- Increase consumer protection
- Foster innovation and competition
- Ensure a level playing field for all players – including new ones
Under SCA, PSPs must employ a multi-factor authentication process selecting two or more of the following independent elements:
- Knowledge – something only the user knows, such as a password or pin
- Possession – something only the user possesses, such as the card
- Inherence – something the user is, such as a fingerprint, face or voice recognition
Fraud losses on UK-issued cards totalled £671.4 million in 2018, a 19 per cent increase from £565.4 million in 2017 (Source: UK Finance). Despite the urgency of this matter, taking steps to overcome it is not always straightforward.
Early last month UK Finance, the trade association for UK banking and financial services sector, reported that research conducted indicates more than 75% of merchants are unaware of SCA requirements and less than 5% of merchants are currently using 3D Secure 2.1 (the technology required for applying SCA). Estimates suggest around 25-30% of transactions will fail as issuers will decline any non-3D secure transaction. With the 14th September deadline looming, the European Banking Authority (EBA) acknowledged the complexity of payment markets across Europe, the intricacy of SCA requirements, the lack of industry preparedness, and the potential of significant disruption for consumers, conceding the deadline for CSA is unattainable (Source: European Banking Authority).
Whilst the legal deadline for SCA compliance was the 14th September 2019, no enforcement action will be taken against firms who have not met the relevant SCA requirements provided there is evidence they have taken steps to comply. This extension is limited to card-not-present e-commerce transactions where neither the cardholder or credit card is physically present at the time of the transaction e.g. online purchases. For online banking the changes will be phased in from 14th September 2019 and completed by 14 March 2020. For online shopping, the FCA has agreed on a plan with card issuers, payment firms and online retailers that gives them 18 months up to March 2021 to implement SCA.
Tackling Fraud Through SCA
Although a reduction in fraud is viewed positively by all involved, getting there is not an easy journey. As this regulation applies to all parties involved in an e-commerce transaction, merchants must play their part to enable SCA. There may be a perceived negative impact of SCA as it slows down transactions, moving away from a smooth 1-click payment. Merchants are faced with two options:
- Trigger SCA, slowing down the purchase, protecting customers from fraud, and covering themselves from liability
- Bypass authentication and become liable for any fraudulent transactions but maintain a smoother purchase experience.
However, PSPs are aware of these challenges and are looking for ways to implement SCA that doesn’t significantly impact the customer experience.
One of the most popular tools will be 3D Secure 2. The previous version, 3D Secure, is used mainly for credit card transactions or in incidences of a high risk of fraud. This opens a new window with further details to be supplied such as a 3D Secure password. To meet SCA demand, the revised version of 3D Secure 2 will accept over 100 elements of data to assess on whether to allow a frictionless authentication. Furthermore, biometric authentication rather than knowledge authentication will be rolled out creating a smoother transaction for mobile users whilst fulfilling the SCA requirements through inherence.
Banks and credit card providers are also looking to roll out cards with dynamic card verification value (CVV). This replaces the three-digit security number on the back of the card with a dynamic CVV that changes periodically. The replacement of a static number with a dynamic number would mean that something the user possesses would refresh periodically and any fraudulent activity would require the new CVV which would only be accessible by the person in possession of the card.
In addition to the front-end, SCA customers are interacting with, a lot going on behind the scenes to support this. As part of the regulation, PSP’s are required to establish transaction monitoring mechanisms to enable them to detect unauthorised or fraudulent payment transactions. This could be achieved through a real-time risk analysis such as a fraud security layer utilising analytics to ‘risk-score’ authentication attempts. Furthermore, PSPs are required to document, periodically test, evaluate, and audit the security measures implemented in compliance with the SCA-RTS. This may result in increased customer awareness of banks fraud rates, and a move towards those whose rates are lower.
Gaining access to a victims account is the initial step in fraud. Pre 14th September 2019, banks were only required to authenticate the identity of those accessing the account via one method, such as login details. Today, customers will be required to supply two or more independent elements. The multi-factor authentication element of SCA ensures access to a potential victims account is that much harder.
The recent deadline extension and proposed managed rollout of strong customer authentication highlights the complexities of operating a payment market across the EU, not including the additional challenge of Brexit. These challenges are compounded by the presence of multiple stakeholders, in this case, payments and retail, public and private sectors. A key aim of PSD2 is to protect customers by making payments safer and more secure. With reports from UK Finance of fraud losses up 19% from 2017 this regulation is essential. SCA addresses this directly through the introduction of additional security authentications for transactions customers. Once successfully rolled out over the next 18 months, customers will be protected by a multifactor authentication system, likely backed by fraud security layer utilising analytics to ‘risk-score’ authentication attempts (Source: SAS) As SCA is a European-wide initiative, it is encouraging to see UK institutions operating at a European regulatory level whilst Brexit looms over the country.
Business Data Partners work closely with large retail and high street banks, assisting with PSD2 and SCA preparation and deployment. Our consultants have extensive experience working in regulatory environments. If you would like to speak to us about our regulatory consultancy services, please get in touch today.