Strong Customer Authentication Needs Alternative Solutions to be Developed: Otherwise Merchants will Foot the Bill, Again
To many international onlookers, Strong Customer Authentication (SCA) – originally scheduled for September 14th 2019 – may have looked like the Y2K of this decade. Comparisons can be drawn between the two events: a memorable acronym, technological concerns, a scramble to get ready, and ultimately as the clock struck midnight… nothing much happening.
The key difference, however, is that the non-event of SCA is due to the deadline effectively being delayed across Europe until December 31st, 2020. The European Banking Authority (EBA), overseeing the technical implementation of SCA, announced in October that the card industry has an additional 15-month grace period during which no regulatory action will be taken against merchants that do not comply with SCA rules – although the regulators are generally quick to point out that the original deadline of September 14th still technically stands. Despite this breathing room, merchants are not quite out of the woods yet.
At its core, SCA is a multi-factor authentication mandate covering at least two areas out of inherence, knowledge and possession. In practice, this has the greatest effect on ‘remote’ transactions such as Card Not Present and contactless. The primary concern among merchants was that the payments supply chain was not ready with solutions in time for the original deadline despite having 20 months for development after SCA’s parent legislation Payment Services Directive 2 (PSD2) entered into force. The supply chain is still not ready, and there is a significant chance of it not even being ready by the new December 2020 deadline.
One of the reasons for this lack of readiness in the supply chain, which has a knock-on effect on the readiness of merchants, is the over-reliance on the EMVCo solution: 3-D Secure. The protocol has become almost synonymous with SCA over the past months, despite it being just one product in the market. Indeed, much of the lobbying around securing a delay to SCA was based on development timelines for 3-D Secure versions 2.1 and 2.2.
For merchants facing a complex and ever-evolving SCA landscape, having one market-wide SCA solution may, admittedly, sound attractive. However, as with many solutions promoted by the global card networks, simplicity comes at a cost. Visa and Mastercard have introduced a new eurocent per transaction scheme fee for any transaction sent via 3-D Secure version 1 or version 2, costing merchants an additional €61 million annually. The fee structure seems suboptimal, too. The networks may have seen significant costs for developing the product, but negligible ongoing costs, so a fixed fee per transaction will result in near pure profit for Visa and Mastercard once the initial development costs are recouped.
Perhaps even more damaging is the potential non-compliance fees that both global card networks have suggested they will levy on merchants that have not implemented 3-D Secure, expected to be introduced towards the end of 2020. Essentially, merchants have to pay either way, unless they can send transactions with exemption requests: a part of the SCA rules that allows low-risk transactions to avoid String Customer Authentication and not necessarily need 3-D Secure as part of the transaction. However, due to the networks commercializing the alternative, CMSPI have seen merchant processors charging merchants new fees for the routing logic required to apply for SCA exemptions: meaning that merchants really are facing higher fees regardless of what they do.
Not only will merchants face increased and unavoidable costs, but the 3-D Secure solution itself is not particularly innovative. In June of this year, the EBA published an opinion stating that information transmitted using EMV 3-D Secure was not sufficient to constitute an inherence factor, meaning that the potentially less consumer-friendly factors of possession and knowledge are more likely to be used to authenticate customers. Many local debit cards and other payment methods across Europe, such as Bancontact in Belgium, already use solutions that are SCA-compliant and incorporate friction-minimizing inherence factors like fingerprint scanning.
In summary, the SCA delay cannot be treated by any industry participants as a period to relax. The EBA justified the reprieve of 15 months – against strong lobbying for a longer grace period – with a comment that the proposed 18-month timelines were heavily dependent on the development of 3-D Secure v2.1 and v2.2. While the regulator seems to have realized that 3-D Secure is not the be-all and end-all of SCA solutions, the industry has not quite got the memo. It is up to merchants now to engage in their respective country’s SCA rollout plans and ensure that roadmaps are technology-neutral, fostering true innovation and customer-focused solutions – and it seems like we may have a fight on our hands.