Since the UK voted to leave the European Union, the relationship between the two has become increasingly strained and at times things have got hostile. Whether you are in the UK or outside the UK looking in, the past two-and-a-half years of Britain’s fraught, seemingly incessant and increasingly shambolic departure from the EU have proved an eye-opener. It is like a roller-coaster ride that will never stop. I particularly liked Nathalie Loiseau, France's Europe minister, said that if she had a cat, she would call her cat Brexit because it wakes up meowing because it wants to go out. When she opens the door, the cat sits there, undecided. Then it looks wounded when she puts it out.
Away from Brexit, top of mind for all payment geeks is Strong Customer Authentication (SCA). SCA is the remaining, yet to be implemented, component of PSD2 (the second Payment Services Directive) which came into force on 13 January 2018. SCA aims to ensure greater customer protection and security of electronic payments and it was described in the publication of the RTS (Regulatory Technical Standards). SCA officially comes into force 14 September 2019.
So, what has Brexit got to do with Strong Customer Authentication? On the face of it, absolutely nothing, but when you look closer, there are a set of peculiar similarities. These include a damaged reputation or at least the potential for a damaged reputation, a calendar of milestones, and the use of lots of jargon.
So far, Brexit has made the UK look weak, irrelevant, sometimes amusing, sideshow on the international stage. Whichever way Brexit eventually plays out, serious and irreparable damage has been done to Britain and the reputation of its Government and its politicians. On the other hand, SCA isn’t live yet for retailers and consumers. In a European retail market that is estimated to be €2.6 trillion in 2018, we have seen payments, such as cash or paper cheques at the point of sale, being rapidly replaced by electronic payments. These same electronic payments have fuelled the rapid expansion of e-commerce and the sometimes-overused term, frictionless payments.
That is about to all change on 14 September 2019.
The payments industry with the implementation of PSD2 has the potential of creating serious and irreparable damage to itself as a result of the rollout of SCA. A significant concern in the industry is that SCA could damage business by creating more friction for the consumer at the checkout. Once SCA is triggered, numerous payment service providers across the complex chain of stakeholders will be forced to look for ways to simplify the transaction process either through exemptions (built into the SCA rules and regulations) or pursue a low-friction SCA route.
How to be fully compliant with the SCA rules is not easy. Even the seasoned experts working in the payments industry don’t know all the answers. EDC has found there are pockets of deep knowledge in a specific subject domain from the perspective of specific stakeholders that participate in processing electronic payments. There is no end-to-end understanding of SCA or how it works in reality.
SCA is expected to have severe implications on business and technological solutions in the acceptance and processing of electronic payments. Whether you are a hotel or an airline accepting a reservation, or a coffee shop accepting a contactless payment at a POS device, or a Gym setting up a monthly subscription for membership, every electronic payment transaction will be impacted. After 14 September, if any player that touches that electronic payment is not ready for SCA it has the potential to go wrong. From the software in the electronic POS device to the account service provider, every player has a checklist of activities in the run-up to the September deadline. Everyone in the payments industry has SCA at the top of their minds because of the colossal amount of work it involves.
How the payment industry’s reputation will be damaged will be as a result of the lack of awareness from a cardholder’s point of view and from the retailer’s perspective. The checkout process will be disrupted, and retailers and consumers will not fully understand why their transaction has been declined when it had previously been accepted prior to SCA. Some would say, if it isn’t broken don't fix it. Or, as some say, if it isn’t broken don’t Brexit. But in the case of electronic payments, it works, it has some issues, we are working on them, but let’s not try to fix it and make it more broken!
Calendar of milestones
The calendar is another similarity between Brexit and SCA. Both Brexit and SCA each have a calendar of key events and milestones. Neither calendar is simple. The Brexit kick start was Thursday 23 June 2016 when the UK had the EU referendum. The result of which 51.89% of the 33 million people who voted said they wanted to leave the EU. Around the same time, but over a longer period, the European Banking Authority (EBA) drafted the RTS, subject to several rounds of reviews with the European Commission. A final version of the RTS was adopted by the Commission in November 2017. This effectively kick-started SCA. 13 January 2018 PSD2 enters into effect across all 28 European countries (although there were a few slower members at transposing the Directive into local legislation).
Triggering Article 50 occurred on 29 March 2017, when the UK formally delivered by hand a letter signed by Prime Minister Theresa May to Donald Tusk, the President of the European Council in Brussels. This started a 24-month ticking clock leading up to when the UK leaves the EU. The RTS had an 18-month ticking clock leading up to when SCA will be implemented. In both Brexit and SCA – it could be a ticking bomb, not a ticking clock. Both Brexit and SCA will be officially completed in 2019 – SCA in September, Brexit just six months before the SCA implementation. However, Brexit’s end date of 29 March 2019 will be delayed until 12 April or 22 May or even 30 June. This date has yet to be set in stone because the UK Government doesn’t actually agree what the withdrawal agreement with the EU will look like. “However, SCA has the force of law behind it in the shape of PSD2 which was adopted by all 28 EU members and it will come into effect on 14 September 2019. But it isn’t that simple. From mid-April 2019 onwards, card schemes will introduce new rules that will shift liability to the issuer for those merchants that support the new 3DS version 2 specification.
Although EMVco has a testing environment for version 2.1, the testing environment for 2.2 is not yet available yet is the version of the 3D specification that provides full support for the SCA exemptions. Furthermore, even after 14 September 2019, merchants will need to be able to fall back to 3DS version 1.0 in the event that an issuer has yet to migrate to version 2.” A date that most within the industry do not believe all card issuers will be ready. In other words, merchants will need to run version 1 and version 2 3DS in parallel. Regulated entities must be compliant with the law otherwise, the local Competent Authority (CA), will impose penalties. Retailers are not regulated entities in the eyes of the CA, therefore, they seem to be the one important entity in the acceptance of electronic payments that is the least prepared and where the greatest impact will be felt.
Whether it is politics or payments, every walk of life has its own jargon, terminology and acronyms. Even the term Brexit was added to the Oxford English Dictionary (OED) in December 2016. I doubt SCA will have this privilege. Brexit, as a word, not only spread globally, it has been reproduced and other words have appeared; such as Brexiteer, Brexiter, and Brexodus. Beyond the word Brexit, there is a long list of jargon that needs to be understood as there is with SCA. No Deal, Transition Period, Backstop, Article 50, Customs Union, Free-trade agreement, Divorce Bill, WTO rules, and the latest term is “meaningful vote”. That last one makes me laugh, I want to know whether other votes in Parliament were not meaningful?
SCA’s jargon is plentiful and seems to be entirely made up of three-letter acronyms. Here are a few examples, Risk Based Authentication (RBA), Transaction Risk Analysis (TRA), 3D-Secure (3DS), One-Time Password (OTP), Merchant Initiated Transactions (MIT), Customer Initiated Transactions (CIT), Continuous Payment Authority (CPA), Regulatory Technical Standard (RTS), Third Party Provider (TPP), Account Information Service (AIS), Payment Initiation Service (PIS), Application Programming Interface (API), Terminal Management System (TMS), Point Of Sale (POS), and Common and Secure open standards of Communication (CSC). This long list of three letter acronyms hasn’t been fabricated just for your entertainment. All of these and more are part of the SCA rules and regulations or will be directly impacted as a result of SCA.
How can Edgar, Dunn & Company (EDC) help?
All the parties in the ecosystem are facing an enormous challenge of creating a frictionless payment experience for consumers at the payment checkout. EDC is in a unique position because we are independent of the SCA solution technology vendors. We guide the industry on how the SCA requirements will work in practice, who will be expected to perform SCA and recommend the best way to minimise the burden of the authentication process for retailers and their consumers. If you want to know more about how EDC can help with your plans to prepare for SCA compliance see www.edgardunn.com/sca or contact email@example.com.
The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).