For those still working to implement Strong Customer Authentication (SCA) to meet PSD2 requirements, the European Banking Authority (EBA) opinion on SCA could provide much needed respite. But there are caveats. Agreeing with market sentiment, the EBA conceded the market is widely unprepared to meet the 14 September 2019 deadline to implement SCA requirements, especially for downstream actors such as merchants. In fact, the British Retail Consortium estimates 25%–30% of online purchases may fail when SCA measures are rolled out.
Since this blog was published, the EBA made the decision in October 2019 to revise the deadline from 14 September 2019 to a new date of 31 December 2020.
Flexibility on SCA Implementation Timeline
In an effort to avoid disruption to online transactions because they do not meet the SCA requirements, the EBA agreed Competent Authorities (CAs) may “decide to work with Payment Service Providers (PSPs) and relevant stakeholders, including merchants, to provide limited, additional time to allow issuers to migrate to authentication approaches compliant with SCA.” However, the EBA stressed that such delays will only be available when payment service providers:
- Set up a migration plan
- Have agreed to the migration plan with their CA
- Execute the plan in an expedited manner
In the UK, the Financial Conduct Authority (FCA) has already responded, commissioning UK Finance to propose an alternative timetable for implementation.
UK Finance are recommending a minimum 18-month delay to the introduction of SCA rules in the UK, with a further 1-year extension for the hospitality and travel sector.
These governing bodies hope this additional flexibility will help merchants handle the transition and ease disruption for consumers. So, while flexibility is being given, the EBA and CAs are making it clear both PSPs and merchants need to have a plan in place and be actively working to meet SCA requirements before the extended deadline.
In an update since the publication of this blog, in April 2020, the FCA confirmed it would delay the requirement for e-commerce firms to have implemented SCA until 14 September 2021.
3-D Secure is Out
The EBA also clarified 3-D Secure doesn’t qualify as an inherent factor and doesn’t meet SCA requirements. While 3-D Secure doesn’t currently satisfy any SCA requirements, it’s important to note the EBA is encouraging the use of such communication protocols to:
- Help ensure customer convenience
- Drive down fraud through data sharing
- Help in meeting transaction risk analysis requirements and gain exemptions to SCA
EBA on Exemptions
Driving down fraud rates and leveraging Transaction Risk Analysis (TRA) exemptions will be vital for merchants to retain control over the buyer’s journey. The EBA has agreed PSPs and merchants should be able to request SCA exemptions if they can attain target fraud rates. To be allowed the exemption based on TRA, the proposed solution must operate in real time and verify a transaction against anomalies in user behaviour. Checkpoints include the following:
- Previous spending patterns of the payer
- Payment transaction history of the payer
- Location of the payer and the payee at the time of the payment
- Previous use of the access device or the software provided to the payment service user for SCA
The table of exemptions is as follows:
|Exemption threshold value||Reference fraud rate % Remote card-based payments|
|€250||0.01 – 0.06|
|€100||0.06 – 0.13|
PSPs and merchants will have to work much more collaboratively to reduce fraud in order to reach the highest exemption thresholds. But, this could provide a major competitive advantage on a number of fronts, including:
- One-click shopping: Expedite payment processing for a higher volume of transactions, (i.e., all transactions below €500 vs. only transactions below €30, which is the default exemption level)
- Cost savings: Reduce the overall number of transactions subject to higher cost SCA checks
- Reduced friction: Only step-up transactions to SCA that are above the exemption threshold or have risk signals present
TransUnion is uniquely suited to help businesses drive down fraud rates and maximize transaction risk analysis exemptions — while also providing an elegant, risk-based authentication solution to satisfy SCA requirements. By doing so, we help you strike a balance between meeting compliance and delivering a friction-right customer experience.
We combine iovation®, our lightweight, transparent customer authentication solution, with iovation FraudForce, a real-time risk insight and fraud prevention solution, to confidently identify returning devices and check for risk signals that could indicate fraud.
Our deep device intelligence allows us to provide real-time data on the location of the payer and payee at time of payment, and determine previous use of the access device provided to the payment service user for SCA. This intelligence, coupled with your data on previous spending patterns of the payer, allows your business to confidently decide to accept, deny or review each transaction. In this way, you can lower your fraud rate, reduce the overall number of transactions subject to SCA and increase customer satisfaction.