BRC Payments Policy Adviser Andrew Cregan provides a view from the coalface of the UK's preparations for Strong Customer Authentication (SCA). Whilst progress is slow, January delivered a big win for the future of e-commerce, yet much more remains to be done.
Some good progress…
The end of January saw a significant win for merchants, banks and customers alike, when the Financial Conduct Authority (FCA) – the primary authority over Strong Customer Authentication (SCA) in the UK – agreed that industry should focus on a “behavioural biometric” inherence factor as the second form of authentication alongside One-Time Passcodes (OTP) for online transactions. It’s great news for millions of consumers and online retailers who might otherwise have experienced substantial friction at the online check-out, basket abandonment or even compromised accounts. The BRC hope for more good news at the end of the month.
OTP+: An alternative second factor became necessary after the European Banking Authority (EBA) announced in summer 2019 that card details entered online could not in themselves be considered one of the factors of authentication under SCA. This presented a problem for most online customer journeys involving a laptop for example, however customers making in-app purchases were unlikely to be impacted given the ability to authenticate payments by security codes, fingerprints and possession of the smart-phone they’re linked to. The FCA’s decision killed the unwelcome prospect of online shoppers requiring a static password or their card PIN, in addition to an OTP, which past experience in the UK and abroad has shown to be a disaster, whilst creating new opportunities for fraud. Card-issuing banks will still have to present their customers with an alternative to receiving an OTP by text for “vulnerable” customers that do not have a mobile phone, have limited phone reception, or for any other reason may struggle to receive a text OTP.
Dynamic Linking: Further progress is expected before the end of February, with a resolution due on “dynamic linking” – the rule that transaction value and Merchant ID must exactly match those of an authorised transaction. Whilst reasonable for most transactions, dynamic linking presents a major obstacle for some entire business models including hospitality and the online grocery shopping. For example, shoppers add products to online shopping baskets that may vary in weight and/or value, whereas many companies use several Merchant IDs and pass details onto relevant sub-entities for payment. Following recent interactions with the EBA, the industry is hopeful of some flexibility on the Merchant ID matter, whilst a resolution is expected by the end of the month on a tolerance for variation in value by the EBA, if not the FCA.
…but still much more to do
Ensuring a good level of readiness for SCA means that all players in the payment ecosystem must have the right technical solutions in place – tried, tested and interoperable with other players – with a high-level of awareness, and a common rulebook.
3D what?! The technical solution for SCA is, by and large, the second generation of 3D Secure (aka Verified by Visa, Mastercard SecureCode, AMEX SafeKey). But only the latest version of 3D Secure (3DS2.2) has been designed with SCA in mind. Earlier versions of 3DS (3DS1 & 3DS2.1) do not allow the merchant or customer to make use of all the exemptions that minimise friction and provide the smoothest check-out experience. Merchants need to be aware of the differences, but should opt-for 3DS2.2 in order to provide the best customer journeys. Yet the card issuing banks will not be mandated to use 3DS2.2 until September this year when many retailers freeze their systems for the all important run-up to Christmas. This doesn’t leave much time then in 2021 to tackle any implementation issues ahead of the March enforcement deadline, whilst international payments will already be jeopardised by the earlier December 2020 enforcement deadline across the EU.
Tried & Tested: An effective testing framework will be critical for all players in the ecosystem to trial their implementation of technical solutions and ensure compatibility throughout the payment chain. As part of this process the SCA Project Management Office (PMO, hosted by UK Finance) will soon publish a “Transparency Calendar” allowing merchants, gateways and card-acquiring banks to test their SCA compliant systems in a live environment with card-acquiring banks within allocated testing windows. This should precede broader implementation of SCA by card-issuing banks and any significant expansion in step-ups ahead of the enforcement deadline.
Aware & Ready: Readiness throughout the payment ecosystem means card-issuing banks, card-acquiring banks and the numerous “gateways” that most retailers use to facilitate online card transactions. More than any other category, it is the gateways that are seen as the weak link in the chain today – the most likely bottleneck, where there is highest risk of neccesary solutions not being in place, and of communications not cascading down to smaller online retailer end-users. It is essential that – in addition to above-the-line communications to consumers – there is an effective cascade of information from the centre to merchant end-users – through the flow of contractual relationships. Merchant end-users rely on gateways, which in turn rely on acquirers, which are regulated by the FCA.
Merchant Assurance: And the information cascaded to end-users needs to address their questions and concerns. The BRC have called for clear Technical Guidance to be issued to merchants for over a year. This is needed for retailers to understand how SCA will impact specific customer journeys and what they can do to minimise friction or declines based on who their customers bank with. To some extent this requires a common approach and assurances from regulators to satisfy the legal concerns of payment service providers, but competition concerns should not prevent merchant end-users from getting straight and consistent answers to their queries, or from being lumbered with more excessive fees for meeting SCA requirements.
Operational Resilience: Important merchant questions on one business-critical issue – dynamic linking – may soon have a resolution, as already mentioned. But there is another business-critical issue that could impact all merchants in all sectors that requires clear guidance and is far from resolved. What can merchants do to carry on accepting customer payments in the event of an outage or technical problem somewhere in the payment chain? According to research from Which?, three quarters of UK bank customers have only one card-based payment option - leaving them particularly vulnerable to being financially cut off by an IT outage. There are several connections in the ecosystem where a payment process can fail, yet today there are options for merchants to maintain operational resilience by conducting their own checks and processing payments, with the liability dependent on where the breakdown has occurred. SCA rules require live payment authorisation without exception, which presents significant risks for merchants and customers. A new protocol is required then. Thankfully a PMO Working Group, led by a very sharp BRC member, is on the case to deliver it.