By Natasja Bolton, Senior Acquirer Support QSA
Our article of February 2016, discussed upcoming EU requirements for Strong Customer Authentication (SCA). At the time, the European Banking Authority (EBA) had not yet released the implementation requirements for SCA: the Regulatory Technical Standards (RTS). Now, with the revised EU Payment Services Directive (PSD2) having come into effect in January this year, to be followed by the security measures and SCA requirements of the RTS in September 2019, it seems timely to revisit this topic.
SCA is about increasing consumer protection and is one of the major implications of PSD2. For a high-level explanation of PSD2 see this European Payments Council infographic. SCA means robustly authenticating the identity of the cardholder or consumer to better protect them from fraudulent or mistaken payment transactions. Reduced fraud will give both parties involved in an ecommerce transaction (the consumer – payer – and merchant business – payee) greater confidence in transacting online and thereby promote the continued growth of ecommerce.
In this guide to SCA we explore: what it is and why it is being introduced, who is responsible for it and what your business and your merchant customers can do to minimise the potential impacts of SCA.
What is SCA?
|○ Strong authentication means authentication based on the use of at least two of the following factors:|
○ Knowledge – something only the user knows, e.g. a password or a PIN
○ Possession – something only the user possesses, e.g. the card, their mobile device, or an authentication code/key/certificate/token
○ Inherence – something the user is, e.g. the use of a fingerprint, eye, or voice recognition
○ All factors must be independent (the breach of one factor does not compromise the reliability of the others), and designed in such a way as to protect the confidentiality of the authentication data.
SCA is an authentication process that validates the identity of the user of a payment service, or of the payment transaction.
SCA is required where the user (consumer) seeks to:
- Access his/her payment account online;
- Initiate an electronic payment transaction;
- Carry out any action through a remote channel which may imply a risk of payment fraud or other abuses, including online or mobile payments.
Successful authentication must result in the generation of an authentication code that is used by the authenticated user (consumer) to access their payment account and to make online payments. This dynamically generated code must be linked to the payment transaction amount and recipient and may only be accepted once by the payment service provider (PSP). This adds further protection from mistakes or fraudulent activity for the user.
Who does SCA apply to?
The responsibility for authenticating the user (consumer) lies with the Payment Service Providers (PSPs): the acquirer or PSP of the merchant being paid (payee) and the issuer or PSP of the consumer’s (payer’s) payment instrument. It is expected that the merchant’s PSP will initiate SCA because if the payee (or their PSP) fails to accept SCA they must refund the financial damage caused to the payer’s PSP, e.g. in the event of a fraudulent transaction. The consumer’s PSP can still insist upon SCA if it is not initiated by the payee, as the payer is only liable for any financial losses if they have acted fraudulently. The burden of SCA is therefore on the PSPs, who will need to put in place the necessary infrastructure and security measures to be able to support the procedures specified for strong customer authentication.
PSPs will also need to improve their existing fraud monitoring mechanisms to be able to keep their fraud rates below the reference ‘Exemption Threshold Value’ (‘ETV’) levels specified in the RTS and to be able to support transaction monitoring and real-time risk analysis. Only with these mechanisms in place will the PSP be able to maximise the number of transactions eligible for the low-risk exemption to SCA, transactions where the consumer ((payer) would not need to be asked to strongly authenticate.
It should be noted that PSD2’s scope does include payments to and from third countries, outside of the EU, where one of the PSPs is located in the EU: “PSD2 starts impacting a PSP as soon as funds are credited to a clearing account of one of its entities domiciled in the EU, and the required information becomes available to this entity (for inbound payments); or until the clearing account is debited (for outbound payments)”.
While the responsibility for SAQ sits with the PSPs, that is not to say that merchant businesses will not be impacted. They may need to update their technologies and amend the integration of the payment methods they accept to enable SCA by their PSP for their customer’s transactions. In addition, merchant businesses who only set up an entity in Europe to be able to work with and benefit from a European acquirer may now want to weigh up the advantages of this vs. the demands and potential impacts of SCA.
When is SCA needed?
As mentioned above, the intent of SCA is not only to reduce online payments fraud but also to increase consumer trust and “foster the development of e-commerce”; however, SCA is not required for every electronic payment transaction. To ensure that SCA is used proportionally, taking into account both the risk involved in each transaction and existing alternative authentication mechanisms, the RTS establishes a number of exemptions when PSPs do not need to apply SCA.
The most relevant of those exemptions to Internet businesses are:
- Trusted beneficiaries – payers can create a list of trusted beneficiaries (payees), which requires SCA. SCA need not be applied again for payments to an already created trusted beneficiary.
- Recurring transactions – SCA is not needed where a payer makes a series of recurring payments for the same amount to the same payee. SCA is applied to the consumer’s first payment to the business but not to subsequent payments.
- Low-value transactions – The payer of a remote electronic payment transactions will be exempted from SCA when the transaction amount does not exceed €30 and the cumulative amount or number of remote electronic payment transactions since the last SCA does not exceed €100 or 5 consecutive payment transactions
- Low risk transactions – PSPs are required to have transaction monitoring mechanisms in place. SCA needs to be applied to remote electronic payment transactions, if the PSPs’ transaction monitoring identifies the transaction as low risk. The RTS defines the conditions under which a transaction may be considered to pose a low level of risk. These conditions include the PSP’s fraud rate for the type of transaction, the ETV for the fraud rate, the PSP’s real-time risk analysis (including abnormal spending or behavior of the payer, their previous spending patterns, location of payer and payee).
(for a full list of exemptions see: http://ec.europa.eu/finance/docs/level-2-measures/psd2-rts-2017-7782_en.pdf, Chapter Iii, Exemptions from Strong Customer Authentication)
The intent of the available exemptions is to minimise the ‘friction’ and disruption to the checkout/payment process that may be introduced into the payment by SCA, when it may not be necessary and convenient to request the same level of security for all payment transactions.
What does SCA mean for merchant businesses?
SCA opens up a number of opportunities to and has a number of benefits for merchant businesses:
- Increased competition between PSPs, giving them more choice of providers
- Consequently, this should expand the methods of payment the merchant business can accept
- Reduced volume of fraudulent transactions
- Increased customer trust
- Potential boost in boost in sales
There are some disadvantages however, at least during the early stages of SCA implementation and enforcement, and some actions businesses must take to realise the benefits of SCA.
- Updates to technologies and platforms may be needed in order to integrate their PSP’s SCA methods
- SCA has the potential to impact ecommerce conversion rates; therefore, the merchant businesses, their ecommerce providers and PSPs will need to work together to ensure a smooth, ‘low friction’ consumer checkout experience
- The PSP’s fraud rates will have a significant impact on the volume of transactions requiring SCA; therefore, astute merchant businesses will want to consider this a significant factor when selecting their PSP. A low fraud rate means the PSP can maximise the use low-risk exemptions to SCA, minimising the number of payer ‘challenges’ and hence the disruption to the customer experience at checkout.
What does SCA mean for acquirers, issuers and payment service providers?
The basic requirement for PSPs is support for SCA. A PSP that does not support SCA will be subject to penalties levied by the regulatory authorities. PSPs will also need to make sure they have the most effective transaction monitoring, risk analysis and fraud controls possible, to keep their fraud levels low and consequently be able to keep application of SCA to a minimum. As was noted above, a PSP’s ability to accept as many transactions as possible without SCA will help their merchant customers create a more frictionless consumer buying experiences and maximise conversion. Therefore, it is expected that merchants will be drawn to those PSPs that can minimise the number of their transactions that require the consumer challenge of SCA.
PSPs may well find there is a balancing act to be achieved between servicing lower risk merchant businesses versus higher risk merchants. Those higher risk merchant businesses typically imply that while higher margins can be earned there are also higher levels of fraud. That may push the PSP’s fraud rate above the threshold levels (ETV) impacting on their ability to use the low-risk exemptions to SCA the benefit of high conversion that this can offer merchants.
The implementation of PSD2 will have noticeable consumer and merchant impacts – both parties will have more payment options and, through the application of SCA, a reduced risk of fraud. Now is the time to make sure your risk analysis and fraud management capabilities can support those changes while also engaging with your merchant customers to make them aware of these changes so that they are ready for the changes they will need to make to support SCA thereby minimising the impact on their customers while also taking full advantage of the benefits PSD2
If you are a merchant that requires technical or PCI DSS help, please click here