The strong customer authentication (SCA) requirements under PSD2 are set to go live this September. Unfortunately, there’s a general opinion that many will not be ready, which has been echoed by the European Banking Authority (EBA). In their recent opinion on SCA, the EBA has conceded that there is a lack of preparedness, especially for downstream actors such as e-commerce merchants.
Join us as we walk through what the recent opinion means, including:
The role of 3-D Secure in meeting SCA requirements
What flexibility there may be in implementing SCA
Compliance with different authentication methods for SCA
Factors to consider when implementing an SCA solution
How to minimize the impact of SCA on your customer journey
16. 16
Meet SCA Requirements of PSD2
Offer non-regulated
payment methods
Apply transaction risk analysis to
filter out low risk transactions
Filter transactions that are
exempted from SCA
Optimize the user experience for
transactions that require SCA
Alternative e-payment
Methods
Transaction risk
analysis
Optimize user
experience
SCA
exemptions
e-commerce transactions
Source: Aite Group Report “PSD2: Advent of the New Payments Market in Europe”
(US ONLY—BUT DO WE NEED ALTERNATIVE SLIDE FOR EMEA SINCE THEY ARE USING TRUSTEV TO ESTABLISH IDENTITY? CAN THIS SLIDE STAND AS IS FOR EMEA, TOO?)
For high-risk transactions like account origination and loan application, iovation can go further than device intelligence to establish identity by verifying the email and phone number provided by the consumer.
Article 4 of the PSD2 (Directive (EU) 2015/2366) defines “Strong Customer Authentication” as authentication based on the use of two or more elements categorised as:
Knowledge – something only the user knows
Possession – something only the user possesses
Inherence – something the user is
Independent factors means that the two authentication factors have to be out-of-band, so that the breach of one doesn’t compromise the other. That’s why you have to have at least 2 of the three independent factors
SCA also requires dynamic linking – being able to tie a transaction to a specific amount and payee with a unique authentication code.
*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.
*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.
Possession of a device evidenced by an OTP generated by, or received on, a device (hardware or software token generator, SMS OTP)
Possession of a device evidenced by a signature generated by a device (hardware or software token)
Card or device evidenced through a QR code (or photo TAN) scanned from an external device
App or browser with possession evidenced by device binding — such as through a security chip embedded into a device or private key linking an app to a device, or the registration of the web browser linking a browser to a device
*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.
In an effort to avoid the disruption of online transactions because they do not meet SCA requirements, the EBA has agreed that the competent authorities (CAs) may “decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA. They went on to say however that “this supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed to the plan with their CA, and execute the plan in an expedited manner.”
The EBA stressed that such delays will only be available where payment service providers have agreed a migration plan with the competent authority. It is hoped that this additional supervisory flexibility will help merchants handle the transition.
The British Retail Consortium estimates that 25 percent to 30 percent of online purchases may fail when the SCA measures are rolled out.
communication protocols such as EMV® 3-D Secure provide a means for merchants to support the use of SCA. The EBA notes that versions 2.0 and newer support a variety of SCA methods, while trying to ensure customer convenience, limiting fraud through data sharing and transaction risk analysis, and enable the use of exemptions set out in the RTS. For those reasons, the EBA encourages the use of such communication protocols and expedient onboarding. Older protocols such as EMV® 3-D Secure version 1.0, although supporting the use of SCA, are not fully adapted to PSD2.”
Transactions that are considered “low risk” can be exempted from the SCA requirement:
Competitive advantages will arise for lower fraud rates as they will require less friction for higher exemption amounts.
To be allowed the exemption based on transaction risk analysis, the solution must be operating in real-time and must verify a transaction against anomalies in user behavior. Check points shall include the following:
Previous spending patterns of the payer
Payment transaction history of the payer
Location of the payer and the payee at the time of the payment
Previous use of the access device or the software provided to the payment service user for SCA
To retain control over the buyer’s journey merchants will need to work cooperatively with payment processors in order to reach the highest exemption thresholds, but this could provide a major competitive advantage on a number of fronts:
One click shopping: Being able to expedite payment processing for a higher volume of transactions, i.e. all transactions below €500 vs. only transactions below €30
Cost savings: Reduce the overall number of transactions subject to higher cost SCA checks
Reduced friction: Only step-up transactions above the exemption threshold or with risk signals to SCA
Calculations for Reference Fraud Rate % = Total value of successful fraudulent transactions ÷ Total value of all successful transactions (including SCA and exempted)
In a well designed system you can incorporate risk signals to tailor the level of authentication to the riskiness of the transaction. So for instance if a customer is logging in from a known device and just wants to view their balance, that’s a low risk transaction. But if the same customer want logs in from a new, unknown device and wants to transfer $10,000 out of their account; that’s a much riskier transaction. This is why risk insight is so important. Not only will it allow you to apply the right level of authentication based on risk-insight, it’ll also help you create a better user experience.
Device based authentication isn’t reliant on personal data that has likely been breached, and is very low friction for customers.
Refer back to case study
Omnichannel flexibility: Today, authentication varies by the channel. On the web, customers enter their username and password. They enter the same credentials on your mobile app, but with a tiny, typo-prone keyboard. Imagine a time when every channel will use the same simple authentication method: the user’s device. Across the web, mobile app, streaming service, call center, and even in store.
A recent study found that businesses with the strongest omnichannel customer engagement strategies have an average customer retention rate of 89%, as compared to 33% for companies with weak omnichannel strategies. (source: v12 Data, https://www.v12data.com/blog/25-amazing-omnichannel-statistics-every-marketer-should-know/)