European authorities’ guidance on the SCA enforcement moratorium speaks volumes
By J. Bennett, Signifyd VP operations and corporate development
With the UK, France, Germany, Italy and other banking authorities in Europe issuing their directives on the delay in enforcing the rigorous customer authentication standards required by PSD2, it’s safe to say that the picture of life under the new regulations has become anything but clearer.
The UK’s Financial Conduct Authority (FCA) laid out an 18-month “managed rollout,” which is substantially different from the three-year plan that French authorities issued, which is different from the German guidance, which says the enforcement moratorium will last a limited amount of time — it just doesn’t say what that amount of time is.
In fairness, it’s easy to take pot shots when dozens of sovereign countries are grappling with an incredibly complicated set of regulations that will monumentally change the world of banking, payments and commerce.
And in the end, the directives are important — for what they say literally, but even more so for what they say about the state of SCA efforts in the European Economic Area:
- This is not a call for merchants to relax. It is a call to act fast — at least on the timetable for the banking sector — or face regulatory action and fines.
- Order verification through 3SD2 alone is not an acceptable answer to PSD2’s strong customer authentication (SCA) requirements.
- Getting SCA right is about fraudbut more importantly, it is about building great customer experiences and ensuring that all consumers can shop online.
How could the string of statements from relatively specialized regulatory bodies say all that? Well, let’s break it down.
First, the competent authorities are consistent in communicating that the PDS2 regulations have been effective since Sept. 14, as originally planned. It’s the enforcement that will be relaxed, primarily because a significant number of retailers and banks are not ready.
But nothing suggests that ecommerce businesses should sit back and put their feet up. The FCA indicated that businesses that do not make a sufficient effort to meet the requirements could still face penalties during the enforcement delay.
The Irish bank was fairly direct:
“The Central Bank of Ireland recognizes the difficulties with meeting this (original) deadline. We have been engaging with the industry to develop a migration plan to implement SCA for ecommerce transactions, as soon as possible after this date.”
And Gill Murphy, a close watcher of Ireland’s Central Bank, warned against complacency.
“Any additional time will be limited, so it is critical that all ecommerce businesses and operators continue to progress their preparation and implementation at pace,” Murphy, who works for the Banking and Payments Federation of Ireland, told the Irish Times.
As for 3DS2 on its own as a solution, the announcements wouldn’t be necessary if the widely available protocol was enough to satisfy the requirements. The fact is, 3DS2 has an important role to play in providing SCA without adding checkout friction, but as the European Banking Authority declared in June, 3DS2 alone is not sufficient to meet the SCA requirements.
And perhaps most importantly, directive after directive has made it clear that consumers are at the center of the authorities’ concern.
From the FCA:
“The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed (on) a phased plan for their timely introduction.”
And from Germany’s Federal Financial Supervisory Authority, known as BaFin:
“To ensure that consumers and businesses can continue to pay online by credit card, BaFin will temporarily not insist on strong customer authentication for … payments on the internet.”
It is almost trite to say that retailers need to keep consumers at the center of everything they do. But it is certainly true in the case of implementing SCA. A number of studies have pointed out the decline in conversions that strong authentication can cause. Stripe, Worldpay and Amazon and others have warned that under current conditions, the introduction of SCA will be accompanied by billions of dollars in losses.
On the other end of those failed transaction are customers attempting to make purchases and failing, either because their retailer is not prepared or they are unable to receive a confirmation text or comply with another element of the authentication process.
So, despite the differences in the authorities’ directives, they appear to be driving toward a common goal when it comes to consumers.
Paul Rogers, chairman and founder of Vendorcom, a European payment community, has been closely following the move toward SCA for years. He says there is plenty of work to be done and plenty of ambiguity to be overcome.
Despite the cavalcade of competent authority directives, substantial uncertainty remains — including just when many European merchants need to be compliant. And despite its embrace of a managed rollout, there is uncertainty attached to the UK’s authority, given that it may crash out of the European Union in just one month.
PSD2 and SCA applies to British merchants whether they are in the EU or not, but it will be hard for the UK to lead on PSD2 from the outside.
Given all that is happening and the fact that competent authorities in Europe are now rolling out details of their own enforcement moratoriums, this might be a good time to review how we got here in the first place.
PSD2is a complex regulation and covers businesses involved in online transactions in the European Economic Area. The core focus for online retailers has been a requirement for SCA, which requires that customers being authenticated by two factors among three types: something they know, something they have and something they are.The three factorswere selected because even if a fraudster breaches one, it doesn’t compromise the other two.
The new rules have been a source of stress for many retailers and something of a surprise to others, who hadn’t come to grips with the way payments and commerce would change under the new regulations and the impact on business.
The stress comes from the fact that retailers widely assumed SCA would add friction to the buying experience and cause a dramatic drop in conversions. And, of course, it calmed no one’s nerves to know that ecommerce businesses that aren’t prepared to conduct SCA won’t be able to transact the overwhelming majority of their online business now that enforcement is in place.
A Mastercard survey published just six months before PSD2’s effective date found that only 25% of online merchants in Europe had even heard of SCA. And 24% said they had no plans to implement SCA— showing a deep lack of understanding of the new regulations and their effects.
Awareness increased with the onslaught of media coverage in the run-up to the enforcement date, but the string of announcements by the competent authorities indicated that awareness is not the same as compliance.
And the heightened awareness has done little to eliminate the stress of those searching for an SCA solution.
For a time, there was a wide misperception that the 3DS2 protocol on its own was the way to go. It was never seen as a particularly good solution, as 3D Secure was known for killing conversion — causing a 45% decline in conversion in the U.S, for instance.
But by June, the EBA entirely eliminated 3DS2 alone as a solution.
“Communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioral biometrics,” The EBA wrote in its opinion.
Still other retailers have been searching for a silver bullet among the list of exemptions laid out in the SCA regulation. But the exemptions are only sometimes applicable for some small value carts and are dependent on unrealistically low fraud rates for both the acquiring and issuing banks, neither of which are in control of the retailer.
Successful SCA in the era of PSD2 will likely involve a holistic approach — taking ownership of SCA and viewing it as a path to a better customer experience.
A machine-learning-based solution that provides dynamic fraud analysis for online retailersallows for nearly instantaneous SCA review and more accurate decisions based on the significantly more data processed by the system’s learning machines, as opposed to passing that data all the way down to the issuing banks and back.
In the end, the timelines for needing to have SCA in place remain fluid, depending on a retailer’s home country and the interpretation of the announced enforcement delays and those that are sure to come.
The only certainty isthat those retailers who get there first are going to have a competitive advantage.