The Programme Management Office (PMO) for Strong Customer Authentication (SCA) are posing the following question for feedback from retailers, possibly one for the tech wizards in your organisation. Please provide feedback to Andrew.Cregan@brc.org.uk by 21st February 2020.

Context

The Financial Conduct Authority (FCA) have agreed that “behavioural biometrics” should be used alongside One-Time Passcodes (OTP) as the two-factors of authentication for (non-app) online transactions. This decision avoids the unwelcome prospect of online shoppers requiring a static password or their card PIN, in addition to an OTP, which past experience in the UK and abroad has shown to be highly disruptive, whilst creating new opportunities for fraud.

Question for feedback

"Behavioural biometrics solutions will require javascript integration between the ACS and the Behavioural Biometric solution provider for 3DS browser-based authentication challenge flows.

Are merchant web sites likely to implement restrictions that interfere with such scripts? Possible restrictions could be related to the inclusion of third-party content, CORS restrictions, or similar. 

We would like merchant views on whether this concern is well founded and if so what  industry guidance to merchants would be appropriate to maximise the successful use of Behavioural Biometric solutions in 3DS browser challenge flows.”