Read a joint article by Martin Koderisch and Grégoire Toussaint who provide an update on Strong Customer Authentication (SCA) and the current status of the available exemptions.
SCA is coming
PSD2 came into effect on 13 January 2018 in the European Union (EU), and we are now in a transitionary period lasting till 13 September 2019 when rules regarding the use of Strong Customer Authentication (SCA) will apply. Stakeholders have until then to prepare themselves. Whilst the actual SCA procedure is relatively clear, there remains some unclarity regarding the roles and responsibilities of the different actors in the payment value chain. This article provides a short overview of ‘who does what’ and based on current understanding as of the end of July 2018. The article sets the scene for follow up articles on SCA including the implications of SCA for the different actors in the payment value chain, and a deeper dive into emerging authentication solutions and technologies.
The SCA rule in a nutshell
From 13 September 2019, all remote electronic payments in the EU will require SCA which is essentially two-factor authentication (2FA). Cash payments are therefore out of scope. As are payments using a physical card at a POS terminal, which are already secured via two-factor authentication (i.e. chip and PIN). The new SCA rules essentially attempt to mirror this level of security for remote payments.
So the SCA procedure requires at least two factors from two separate categories. These are:
- Knowledge: something a user knows (e.g. secret code)
- Possession: something a user possesses (e.g. smartphone)
- Inherence: something a user is (e.g. fingerprint, voice or facial characteristics)
So a typical compliant procedure might, for example, include a combination of a password (knowledge) and fingerprint (inherence), or a password (knowledge) and one-time passcode (OTP) sent to the user via SMS (knowledge). The rules do not stipulate what the procedure must be, so the market can decide and this also leaves some unclear areas yet to be defined.
In-scope vs. out-of-scope
All customer-initiated transactions are in-scope of SCA rules. In other words, SCA applies to all transactions triggered by customers. However, some transaction types are out-of-scope. These include some merchant-initiated transactions such as direct debit where a contract or an e-mandate agreement has been signed between the payee and the payer. Also out of scope are so-called ‘one leg out transactions’ where, for example, a US issued card is used online at an EU merchant.
Under the SCA rules, it is the issuers that are responsible for customer authentication. This is a significant change to the current model. Up to date merchants have been able to decide if they see a need to authenticate their customers via 2FA for a remote payment transaction. The decision is important. Merchants know that 2FA adds friction to their customers' checkout experience and will negatively impact conversion rates. The result is lost business and disgruntled customers. Merchants have heavily invested in streamlining the purchase and payment process to facilitate frictionless customer experience, with 1-click payments for instance. Removing 2FA also has a negative impact on merchants in the form of increased fraud rates. So a trade-off needs to be made. Merchants have developed transaction scoring capabilities to assess the risk associated to each payment transaction and can decide:
- To trigger a strong customer authentication; in this case, merchants benefit from the liability shift and card issuers become liable in case of fraud
- Or to bypass authentication and merchants become liable for fraud.
Being able to accurately assess the impact of 2FA on conversion rates enables merchants to find the optimal trade-off point between fraud and revenue losses. Through application of SCA exemptions, this analysis will remain critical in the SCA environment and will allow for a sound strong authentication strategy.
Exemptions do exist
Merchants through their acquirers can apply for exemptions. These exemptions are as follows. Merchants and payment-related players need to understand if and/or in which cases exemptions can apply.
- Contactless payments at POS (Article 11 RTS) – no SCA is required for contactless payments such as contactless cards as well as contactless payments initiated by wallets. This will contribute to the ongoing adoption and usage of contactless payments in the EU.
- Unattended terminals for transport fares and parking fees (Article 12 RTS) – no SCA is required, reflecting the uniqueness of this transaction category. This creates the base for further developments of open payment regarding transit and electronic transactions for parking payments.
- Trusted beneficiaries / Whitelisting (Article 13 RTS) - this is a simple concept but made more complex due to the lack of available technical solutions for the whitelisting of cards. It is important to remember that whitelisting can only be done by issuers. Neither merchants nor their acquirers can manage whitelists. The concept of whitelisting may be the most promising in the long term as it puts consumers in control of which merchants they trust and where they would like to benefit from a simple or frictionless checkout experience.
- Recurring transactions (Article 14 RTS) – this is possibly the most unclear and contentious exemption. What we definitely know as of July 2018 is that payments initiated by the same merchants, for the same amount, on the same regular date are exempt from SCA. This would, for example, cover magazine subscriptions and video and music streaming services. But as it stands, the rules do not exempt payments initiated by a merchant for variable amounts. These would include mobile phone and utility bills. In these cases, in order to complete a payment, a merchant would probably need to send their customer a ‘request to pay’ notification which would trigger an SCA procedure. This clearly undermines the convenience factor for recurring payments via card. Given that direct debits are out of scope of SCA, the rules as they stand will most likely negatively impact the use of card to the advantage of direct debits. Many are arguing this is unfair and against the spirit of the PSD2 text. The industry is actively lobbying for the inclusion of variable amounts. Also impacted by this ruling are wallet operators such as PayPal or Lyf Pay in France using cards for funding as are 'Uber-like' transactions. The EBA's recent Opinion Paper, published on 13th June, only partly clarifies the situation. EDC expects the EBA to provide further clarification on this topic during Q3 2018 via the EBA's Q&A tool.
- Credit transfers between accounts held by the same person (Article 15 RTS) – no SCA is required for credit transfers where the payer and the payee are the same person and both accounts are held by the same bank. An example would be transferring funds from a current account to a savings account.
- Low-value remote transactions (Article 16 RTS) – no SCA is required up to €30 threshold but is required after a cumulative total of €150 or 5 cumulative transactions. This exemption has been overall welcomed by the payments industry to facilitate low-value frictionless payments. However, as only issuers know when a threshold applies in terms of number of transactions or transaction value, merchants and payment-related actors may not always exclusively rely on this exemption. EDC has worked closely with actors to better assess the relevance of this exemption based on an analysis of spending patterns and other behavioural data.
- Secure corporate payment processes and protocols (Article 17 RTS) – no SCA is required for corporate payments as long as certain equivalent security thresholds are met. These are unfortunately not set at an EU level, rather each individual EU member state regulator has the right to decide what the equivalence conditions are. Currently, it appears unlikely that, for example, all corporate travel cards will be exempt from SCA. Complying with SCA will not be straightforward in the corporate travel space where authorisations for card payments are often made as a batch and after a booking has been made. EDC expects the EBA to play an important role in harmonising the interpretation of SCA rules by local regulators and ensuring a level playing field is achieved.
- Transaction Risk Analysis (TRA) (Article 18 RTS) – both issuers and acquirers can apply for exemption based on risk scoring but must demonstrate that their aggregate fraud rate – for their whole portfolio and not for a specific merchant or a merchant category – is below a threshold (for transaction values up to €100, the fraud threshold is set at 13bps). It is important to remember that merchants cannot apply this exemption by themselves. Only issuers and acquirers can do so. This is a departure from the current situation where a merchant can decide whether to accept liability for an ‘unsecure’ e-commerce transaction or secure it by implementing 3D Secure and thereby shifting the liability over to the issuer. As discussed before, this is no longer possible and liability will always sit with either the acquirer or the issuer. However, merchants can agree bilaterally with their acquirer to share liability risk.
Impact on the whole payment value chain
Merchants need to develop SCA strategies that optimise for exemptions. However, SCA is a reality. Even if exemptions are applied in the majority of cases, there will be plenty of situations where a step up to SCA will be required.
SCA may be triggered for customers attempting to a book a high-value flight whilst abroad, or maybe the cumulative total of €150 low-value payments triggers SCA. Hence, SCA will become a reality and all participants in the payments value chain need to determine the optimal SCA procedure for them. This will vary depending on various factors ranging from product or service type, sale channel and their target customer base. Not everyone has a smartphone that supports biometric fingerprinting. So alternative authentication procedures will need to be evaluated.
Future of authentication
Authentication is a fast evolving field and technology is playing a key part. Cards enabled with dynamic CVV are coming to market. Various biometric modalities apart from fingerprints are starting to become commercially viable. These include authentication based on recognition of a user’s face, voice, iris scan or others. Then, there is the rapidly emerging field of behavioural authentication which is linked to important concepts such as persistent and adaptive authentication. All of these will be investigated in greater detail in forthcoming articles.
Grégoire Toussaint is a Principal based in EDC's Paris office. He has more than 10 years of consulting experience with EDC in business strategy for financial services clients in multiple Asian, European and North American countries.
Grégoire has worked in EDC London’s, Sydney’s and Paris’ offices and developed global perspectives on payments.
Martin is a Manager based in EDC's London office. He has over 15 years of experience in international banking and payments. His focus is on evaluating the business impact of industry regulation and scheme rules with a particular emphasis on areas such as fraud, risk, strong customer authentication (SCA), 3-D Secure 2.0, Open Banking, PSD2 and API banking. He is a frequent conference speaker and thought leadership author and market commentator/analyst.