Share this content
Online shopping

FCA delays strong customer authentication amid industry concerns

12th Aug 2019
Share this content

As the deadline for strong customer authentication, a new two-factor payment authentication to tackle online fraud, draws near, a payment industry body has called for an 18-month delay on the roll-out.

Strong customer authentication (SCA) will come into effect on 14 September 2019 and SCA means all European shoppers (including the UK) will have to double authenticate all online payments over €30 (£26.95). This includes credit transfer via online banking, standard ecommerce card payments, card payments at POS (chip and pin) and more.

The regulations, introduced under the EU’s revised payment services directive (PSD2), are attempting to address payment fraud. According to UK Finance, a banking and finance industry body representing more than 250 firms, unauthorised financial fraud losses totalled £844.8m in 2018.

But while SCA has been a long-time coming, its looming rollout has some in the payments industry spooked. With just eight weeks until implementation, the European Association of Payment Service Providers (EPSM) has called for a minimum 18-month delay to the introduction of SCA.

The 67-member organisation has warned of “significant market disruptions” and “a disaster for consumers and PSPs [payment service providers]” if there is no delay to allow the industry to get itself ready.

“EPSM recommends that additional timeframes of 18 months for standard applications and up to 36 months for challenging applications (eg in the travel and hospitality sector) across all regions should be agreed in a harmonised migration approach”.

For merchants, the potential impact of stricter authentication could damage bottom lines as friction at checkout causes consumers to abandon their goods. European businesses stand to lose an estimated €57bn in the first year after SCA implementation, according to research commissioned by payment service provider Stripe.

SCA is basically two-factor authentication, as you might have for your email account. SCA authentication needs at least two of the following three elements:

  • Something the customer knows (eg a password or PIN)

  • Something a customer has (eg a phone or hardware token)

  • Something the customer is (eg a fingerprint or face recognition)

For payment service providers (PSPs) and merchants, this additional security needs to be built into your checkout flow. This, EPSM said, will require time and a careful migration so as not to damage providers and businesses.

In response to these concerns, the European Banking Authority (EBA) said it was “legally not able to postpone an application date that is set out in EU law”. The body added that there had been “sufficient time” for the industry to prepare for the application date of SCA, “given that the definition of SCA had been set out in PSD2 when it was published in 2015”.

The EBA also noted that PSD2 already granted an additional 18-month period for the industry to implement SCA. There was, however, a ray of hope for the ill-prepared: the EBA has said there will be some “supervisory flexibility” for PSPs as long as they “have set up a migration plan, have agreed the plan with their [national competent authority] (NCA), and will execute the plan in an expedited manner”.

The UK’s NCA, the FCA, has leapt on this supervisory leeway, stating that while the legal deadline remains 14 September 2019, it “recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this”.

“We aim to quickly agree a plan with stakeholders across the industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way.

“Once the group has finalised the plan and we have agreed it, we expect all participants to meet the agreed milestones, targets and final delivery date.”

Replies (5)

Please login or register to join the discussion.

By SteveHa
13th Aug 2019 09:17

As a consumer, this is the first I've heard of this. It's all well and good taking a soft landing with business, but how about making the consumers aware?

Thanks (1)
Replying to SteveHa:
By andyscotland
15th Aug 2019 10:08

I think the major reason for that is that the precise detail of how it will work from the consumer side is largely down to the consumer's own bank.

And AIUI the vast majority of the UK banks haven't yet implemented anything.

In the short term, you'll probably start to see the existing 3D-secure / verified by visa / mastercard securecode / whatever your bank currently uses appearing more often when you shop online. So nothing will really change from the consumer perspective.

In the medium term if and when your bank actually implements changes to their process it will be up to them to make you aware. At the moment it seems there are some who haven't even decided what they'll do, so it's too soon for them to be able to tell their customers anything.

That said some are starting to lay the ground - e.g. when you log into Lloyds online there's a prompt "Get ready for extra security checks" which suggests you check they have an up to date mobile number on your account.

Thanks (0)
By ClaireB
15th Aug 2019 10:13

I'm not surprised. Earlier this week I called our bank with some queries about the company credit card and the answers they gave were woolly and uncertain, and for one particular question was completely at odds with the advice on their website.

I should think that a lot more education and clarification about processes will be required before this can be implemented without disruption to business.

Thanks (0)
By [email protected]
15th Aug 2019 10:17

Sorry, but I must be missing something here. For payments over £30 most of us (consumers and businesses) tend to use a debit or credit card; the card acts as the token and the pin is something the customer knows - 2 out of 3!

Thanks (0)
Replying to [email protected]:
By andyscotland
16th Aug 2019 10:46

If you are in-person, putting the card into a card reader and typing in the PIN then yes, that covers the "something you have, something you know".

However as it stands online, the card details are actually "something you know". Since you just type them into a form on a website, they don't prove you physically have the card with you. You could just as easily be a waiter who's written down the details on a bit of paper when it was out of your sight. Or a hacker that pinched the details off another website you've used in the past.

Banks originally added the CV2 (three digit number on the back of the card) as an early attempt to solve this. Companies aren't supposed to store that under any circumstances - and it doesn't come out on the old carbon copy card imprints shops used to make. So in theory if you get it right you must have the card. In practice it's just another few digits you type in, that are very easy to copy / steal / leak.

Hence in the new system banks will need to take something else as a "something you have" (or a "something you are").

Some will do that with the chip-and-pin card readers that they use for online banking. Technologically these are basically the same as the one in the shop. They generate a one-time code that can only be valid if you physically put the card in the machine and entered the right PIN. Although you then type the resulting number it into a web page it's still "something you have" because it can only ever be used to authorise that specific transaction.

Others will do it with a phone call or text that proves you have a pre-registered mobile phone in your possession. Unfortunately, mobile phone networks (SMS in particular) are very easy to mess with and it's hugely disappointing that banks have been allowed to consider them as an acceptable method. Apps on a phone are different as although they use the mobile network for data, they can do so securely in a way that is much harder to tamper with (making them more like the card-and-pin reader solution).

Thanks (0)