Marius Galdikas is CEO at ConnectPay
Digital payment providers and vendors in the European Union are facing the fast-approaching deadline to implement Strong Customer Authentication (SCA). The EU legislation was slated to come into force on September 14, 2019. But instead, the new requirements were deemed too complex and pushed back to a rolling deadline. Still, for multiple businesses, the changes will come into force on December 31, 2020, and extend a bit into 2021 for exceptional circumstances. The need to adapt will be a watershed moment for businesses.
What are SCA requirements?
SCA requirements are a part of the EU-wide Payment Service Directive 2 (PSD2), which aim for a unified, smoother euro area payment system. The crux of SCA is the legal requirement and technical application of extra steps in the payment process.
Usually, authentication of this type combines a form of secret knowledge, such as a PIN or password, with a physical object – a chip, card, registered SIM card and phone, or another authentication device. Those requirements must be unrolled to all online transactions and contactless payments made within the EU, and the clock is ticking on rolling out solutions that unite vendors and payment providers in ways both compliant with the law and technically sound.
The changes affect a long list of activities and crucial points for both payment providers and various vendors. Without proper understanding and implementation of the new types of authentication, immediate problems arise. Vendors should act now on SCA, to prevent confusing shoppers, declined payments or abandoned shopping carts. Furthermore, implementing the changes on time will improve the credibility of vendors, as well as the entire payment provider industry.
At the moment, the current behaviour of market players suggests that the SCA rules are either confusing, or the business is uncertain about their implications.
However, a wait-and-see stance is not an option, as when the deadline arrives, companies will have no choice but to sort out its compliance to resume business as usual. Although posing certain challenges, the new regulation may, in fact, be key to nurturing further market development – once the initial hurdles are overcome.
Growing market calls to strengthen security measures
The EU has tracked the challenges of the PSP business over the years, suggesting key areas of improvement, especially in combating fraud and scams.
For now, a lot of responsibility falls on national legislation, but also on the PSP companies. Detecting fraud is a matter of tracking potentially unauthorised transactions. Scams, on the other hand, are defined as misleading schemes which end up redirecting funds.
The EU has set some requirements and goals to solve the payment process in a way that prevents unwanted transactions and can keep detailed records to increase the possibility for crossborder consumer protection.
The EU map of e-commerce and payment systems is highly varied, with both leaders and laggers. But this map also has room for growth due to increasing complexities of crossborder transactions. The current common euro area payment system built a network between banks, but the connections between vendors and payment providers are not any less complex, and also face challenges hindering growth.
It is crucial for vendors to seek out sound PSP partners that would help ensure their business is equipped with the right technical solutions and capable to accommodate the necessary forms of authentication
Notably, Eurostat also discovered a growing e-commerce connectivity between EU countries. In 2019, 35% of purchases were made across borders and sourced from an EU country. This compares to 29% of the total purchases back in 2014. Until April 2020, most e-commerce covered physical goods and travel, with most vendors using their proprietary apps or other points of sale.
The looming deadline of the SCA challenges both payment processors and vendors that are struggling with the pressure of the COVID-19 pandemic. The new regulations arrive at a time when the online payment business has already worked hard on security and stricter KYC requirements. Now, the challenge is both legal and technical, as it calls to test and apply even more efficient, secure tools for user authentication.
Boom of e-commerce heightens fraud risk
With the growth of e-commerce and crossborder transactions, there has been a noticeable increase in online-related revenue. But this growth correlates with increased pressure from fraud attempts. As more users moved online for any activities from basic shopping to purchasing content, this extended the trend of busy online trade.
By April 2020, e-commerce had grown globally by 209% year-on-year. This trend coincided with a 13% increase of online fraud in April, compared to the same time period for 2019.
That said, not all vendors saw only net positives from increased online spending during lockdown. For some vendors, the past few months were a struggle with day-to-day expenses, and some are still seeking to raise revenues.
Thus, the new SCA regulations may come off as a bigger challenge for some businesses due to unfortunate timing. As their transactions will now need to follow a more complex format, some analysts have described the enforcement of SCA as “kicking retailers while they’re down.”
While the EU is aiming to be hospitable to digital modes of payment, its financial rules remain strict to ensure safety and compliance. The current mode of transactions is less secure, differentiated from the usual PIN and chip of bank cards. The SCA aims to change that by bringing businesses to apply a form of multi-factor authentication, thus preventing account theft and unauthorized transactions.
Racing to meet the deadline
Not all businesses and PSPs are on the path to becoming ‘SCA-ready’ as some are still battling pandemic-related strain on their resources, making it difficult to migrate to the new framework.
In addition, a number of businesses, mostly SMBs, are still unaware of the SCA’s true impact on their activities.
Although SCA compliance should be at the top of everyone’s mind, it was overshadowed by the current global events. However, if market players want to meet the deadline, the new implementation should become a top-list priority for vendors, and they should also start looking for partners already implementing robust forms of verification in accordance with the newly proposed rules.
Also, what should not be overlooked is that SCA encompasses not just 2FA, but much more, including dynamic linking and proper messaging to the customer about operations being authorised.
An everyday challenge to e-commerce vendors will be facilitating a bulk-payment approach, where each payment order has a unique ID and requires distinct PIN codes for verification. However, generating many PINs – and fast – becomes tricky, especially for banks still running on legacy systems, which are not up to speed to SCA requirements.
That said, vendors could fill in the gaps with a reliable PSP, which has already taken care of all the intricacies concerning the new law.
In our case, we became an early adopter of SCA regulations: reacting to the growing transaction volume, we released an App, which covers multi-factor authentication and one-tap approvals for payments. It will also be the basis for numerous innovations we have planned to implement in the near future.
The time to act is now
The EU has been lenient so far, and there is still time for businesses to face the SCA requirements. Even with the challenges ahead, both PSP and retailers can benefit from a clear, unified set of rules.
Estimates place card fraud at €1.3 billion per year. It is unknown how this number will float in the coming months, and with the growth of online payments.
However, if implemented, SCA will prevent more cases of fraud while completing the growing interrelated network of vendors and payment providers within the EU.
At this point, resources and knowledge are already available, along with clear EU guidelines. To meet the nearing deadline, it is crucial for vendors to seek out sound PSP partners that would help ensure their business is equipped with the right technical solutions and capable to accommodate the necessary forms of authentication.
Overall, the SCA implementation will put up more barriers against fraud, raising the importance that PSPs and vendors prioritize the December 2020 deadline. Even though there is a set of challenges to be considered, meeting SCA requirements can be still achieved without affecting the day-to-day business – it all comes down to what steps the company is willing to take next.