As the deadline for strong customer authentication, a new two-factor payment authentication to tackle online fraud, draws near, a payment industry body has called for an 18-month delay on the roll-out.
Strong customer authentication (SCA) will come into effect on 14 September 2019 and SCA means all European shoppers (including the UK) will have to double authenticate all online payments over €30 (£26.95). This includes credit transfer via online banking, standard ecommerce card payments, card payments at POS (chip and pin) and more.
The regulations, introduced under the EU’s revised payment services directive (PSD2), are attempting to address payment fraud. According to UK Finance, a banking and finance industry body representing more than 250 firms, unauthorised financial fraud losses totalled £844.8m in 2018.
But while SCA has been a long-time coming, its looming rollout has some in the payments industry spooked. With just eight weeks until implementation, the European Association of Payment Service Providers (EPSM) has called for a minimum 18-month delay to the introduction of SCA.
The 67-member organisation has warned of “significant market disruptions” and “a disaster for consumers and PSPs [payment service providers]” if there is no delay to allow the industry to get itself ready.
“EPSM recommends that additional timeframes of 18 months for standard applications and up to 36 months for challenging applications (eg in the travel and hospitality sector) across all regions should be agreed in a harmonised migration approach”.
For merchants, the potential impact of stricter authentication could damage bottom lines as friction at checkout causes consumers to abandon their goods. European businesses stand to lose an estimated €57bn in the first year after SCA implementation, according to research commissioned by payment service provider Stripe.
SCA is basically two-factor authentication, as you might have for your email account. SCA authentication needs at least two of the following three elements:
Something the customer knows (eg a password or PIN)
Something a customer has (eg a phone or hardware token)
Something the customer is (eg a fingerprint or face recognition)
For payment service providers (PSPs) and merchants, this additional security needs to be built into your checkout flow. This, EPSM said, will require time and a careful migration so as not to damage providers and businesses.
In response to these concerns, the European Banking Authority (EBA) said it was “legally not able to postpone an application date that is set out in EU law”. The body added that there had been “sufficient time” for the industry to prepare for the application date of SCA, “given that the definition of SCA had been set out in PSD2 when it was published in 2015”.
The EBA also noted that PSD2 already granted an additional 18-month period for the industry to implement SCA. There was, however, a ray of hope for the ill-prepared: the EBA has said there will be some “supervisory flexibility” for PSPs as long as they “have set up a migration plan, have agreed the plan with their [national competent authority] (NCA), and will execute the plan in an expedited manner”.
The UK’s NCA, the FCA, has leapt on this supervisory leeway, stating that while the legal deadline remains 14 September 2019, it “recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this”.
“We aim to quickly agree a plan with stakeholders across the industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way.
“Once the group has finalised the plan and we have agreed it, we expect all participants to meet the agreed milestones, targets and final delivery date.”