By Ralf Gladis, CEO, Computop
In the middle of the Covid-19 crisis, when retailers are counting the immense, and in many cases disastrous, impact on sales, it’s likely that the last thing they will want to consider is regulations. It seems a lifetime ago that the issue of Strong Customer Authentication (SCA), the standard developed under the new Payment Services Directive (PSD2) to enhance the security of credit and debit card payments, was high on the agenda, with deadlines looming, and retailers under pressure to comply.
So, it will be a relief to those merchants who are looking forward to a time when they can start trading again in earnest, to know that the Financial Conduct Authority has extended the deadline date for compliance by six months. Instead of 14 March 2021, they will now need to be ready by 14 September 2021 to minimise potential disruption to both consumers and merchants.
Whether this extension is realistic remains to be seen. Even before the Covid-19 crisis hit, many retailers were struggling with the phased implementation plan. However, it is important to understand that the advantages of SCA far outweigh any administrative headaches that might be encountered in preparing for it.
The main responsibility for SCA lies with payment schemes like Visa, MasterCard and PayPal. Retailers need to make sure that the checkout system that they use has access to the latest API for all these payment methods. To facilitate credit card payments merchants will need to have implemented 3-D Secure 2.0 (3DS 2.0), the software that gives them the option to accept ‘frictionless flow’, allowing payment to be authorised without additional security measures and reducing any congestion at the point of checkout.
Upgrading the credit card interface will also involve transmitting more data points with each payment, including postal addresses, basket and customer data, IP-addresses, etc. This information will be used by banks to run transactional risk analysis. The benefit to both the retailer and the customer is that it is designed to speed up conversion, making the transaction faster and more friction-free, both of which enhance the customer experience.
Another example of Covid-19-related leniency from the Financial Conduct Authority (FCA) is around contactless payments. As a result of the virus outbreak there has been a steep rise in this form of payment, which allows merchants and customers to minimise their contact with cash. In the UK, where, according to UK Finance, almost 50 per cent of payments are made contactlessly, demand has reached such a point that the spending limit for contactless payments was increased in April from £30 to £45.
Under normal circumstances, repeated purchases at upper-limits or where the total value of transactions exceeds 150 Euros or five contactless transactions in succession, are likely to result in SCA checks on the identity of the card holder. This is to ensure that PSPs or banks know that the person making the payment is authorised to do so. But in April the FCA issued updated guidance indicating that it was taking a less stringent approach, saying: ‘We support the use of contactless payments and welcome the industry’s initiative to increase the contactless limit. To further facilitate this, we confirm that, in the current circumstances, we are very unlikely to take enforcement action if a firm does not apply strong customer authentication when the cumulative amount of transaction values has exceeded EUR 150 or five contactless transactions in a row. But this is only as long as the firm sufficiently mitigates the risk of unauthorised transactions and fraud, by having the necessary fraud monitoring tools and systems in place and taking swift action where appropriate.’
The other issue that has been knocked off the news agenda due to the unprecedented impact of Covid-19 has been Brexit. Since the Withdrawal Agreement was ratified on the 31 January, we have been in an implementation period which will last until the 30th December this year. Currently EU law continues to apply, including regulations in relation to payment. However, work will need to be done by the Payment Systems Regulator, the FCA, Her Majesty’s Treasury, the Bank of England and other UK regulators to ensure systems and laws are in place once we reach the end of this period. In addition, those parties will need to agree the best way to move forward with the national authorities in member states and all European policymakers on the shared issues and priorities. With no decisions made at the moment, and attention diverted to other urgent challenges, retailers, customers, PSPs and banks are in a waiting pattern when it comes to the implications of Brexit on payment processes and regulations.
Right now, the focus is on survival. The next step, hopefully for many, is to build a recovery plan. But as part of this, it would be prudent to look at what the legislation requires currently, assess how SCA-viable payment processes at the checkout can be integrated and speak to payment service providers to ask for help and guidance. The alternative is to do nothing, which will result in being unprepared, and having to request that card-holding customers authenticate themselves twice. As any retailer knows, any delay to the checkout process is unwelcome, and after Covid-19, the more friction-free the purchasing journey, the better.