Organizations with an online presence must ensure that they are fully prepared for Strong Customer Authentication (SCA) compliance for e-commerce transactions.
From 14 March 2022, any online merchant or retailer (e-commerce businesses) who fails to meet the requirements may face Financial Conduct Authority (FCA) fines and have customer purchases declined.
Why the Delay?
The FCA has extended the deadline for implementing SCA for e-commerce transactions from 14 september 2021 to 14 March 2022. This was aimed at giving companies more time to implement SCA for card-based e-commerce transactions in response to industry concerns about readiness, whilst also limiting the impact on consumers and e-commerce businesses.
For further information on implementing SCA and applying SCA to e-commerce and online banking, the Financial Conduct Authority (FCA) provides further information here.
This hasn’t been the first delay, in fact, it is probably close to being delayed six times. However, this is a very complicated regulation which has meant that both e-commerce businesses and banks have needed adequate time to prepare, bearing in mind that most merchants, retailers as well as many banks, are developer-constrained and also have to fulfill many other priorities.
This additional six months delay ensures minimal disruption to e-commerce businesses and consumers, and has given both merchants and retailers additional time to get it right, in recognition of the ongoing challenges facing the industry.
A Very, Very Brief Account of SCA
Strong Customer Authentication (SCA) is part of the European Union’s Payment Services Directive (PSD2), which has been adopted by the UK, and is intended to make online payments more secure as customers increasingly shop and pay online.
The directive expands on three key areas of legislation introduced with the original Directive in 2007. These areas include increased consumer rights in payments, creating a level playing field by bringing third-party access to account information under regulation, and enhanced security.
Enhanced security specifically refers to a set of requirements known as Strong Customer Authentication (SCA). These requirements have far-reaching consequences for any company with an online presence.
When end-users make an online payment, SCA adds an extra layer of security. Up until recently, customers could simply enter their payment information and complete their purchase. However, over the last few months, consumers would have noticed that additional layers of authentication security have been added as banks and merchants have started to roll-out SCA.
Identity to Identify & Prove to Process
E-commerce shoppers should be prepared to have their identities checked and at times, receive more payment card transactions declined as payment authentication becomes more stringent.
As part of SCA, three different types of authentication are available. Within each category, there are a number of potential methods for satisfying that category:
- Knowledge (something only the payer knows) - e.g a password, PIN, passcode, or a secret fact/answer.
- Possession (something that only the payer has) - examples include their mobile phone, smart watch, smart card, or a token.
- Inherence (something the payer possesses) - e.g fingerprints, facial recognition, voice patterns, DNA signatures, and iris format.
Before processing a payment transaction, e-commerce businesses and payment service providers (PSPs) must verify that the customer is who they claim to be. Only after the payer has provided two of these types of authentication will they be able to complete their payment.
SCA is being implemented to help reduce fraud even further. With an increasing number of online purchases, these new rules will provide the additional safeguards required to ensure that customers are safe when shopping online.
What are the risks for online merchants and retailers?
The FCA has been encouraging e-commerce businesses to collaborate with card issuers to implement SCA since the deadline was extended. If an e-commerce transaction does not meet the SCA requirements, it may be declined by the card issuer/ bank. As a result of a high number of declined transactions, costs and complaints may rise, customer confidence may decline, and reputational damage may occur (as well as the FCA fines).
From 18. January 2022, card issuers will start declining some non-compliant transactions, with all non-compliant transactions being declined after the 14 March deadline. The FCA has stated that there will be no further extensions to this deadline.
The Root of Trust for Payment Card and Payment Transactions
Keeping up with technology developments whilst meeting regulations and compliance standards present continuous challenges. To keep pace with changing developments in the payments industry, payment systems have been required to evolve, implement the latest technology and ensure the latest regulations and compliance standards are met.
The Atalla AT1000 provides the ideal solution to meet these challenges. It is a highly secure and flexible Payment HSM designed for transaction processing, PIN translation and verification, card production and personalization. Furthermore, the Atalla AT1000 provides global support for all card schemes such as Visa, Mastercard, Amex, UnionPay, Diners and Discover and integrates with all major banking applications. Learn more about the fastest and most compliant Payment HSM in the market.
eIDAS & strong customer authentication under PSD2
PSD2 and HSM as a Service - part 1: leveling the playing field
PSD2 and HSM-as-a-Service - part 2: FinTech opportunities
PSD2 and HSM-as-a-Service - part 3 - the opportunity for banks
Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2
Blog post by Dawn Illing
About the author
Dawn Illing is a product development manager with over 25 years of product management experience in the banking, insurance and cyber security industries. By working internationally across EMEA, this has inspired her interest in cross-border digital identity and cyber security, including the interoperable requirements that necessitate successful delivery of digital product and market solutions.