Getting on the path towards Strong Customer Authentication (SCA) compliance should be the “north star of every vendor’s roadmap” said ConnectPay CTO Marius Galdikas, as we move towards the revised final deadline for the new payment security standards set by the European Banking Authority (EBA).
The SCA law states mandatory two-factor authentication for online transactions and contactless payments made within the EU.
The law officially came into effect on 14 September, 2019. However, with the market being unprepared to roll out the necessary changes by the set date, the EBA pushed the final deadline to 31 December 2020, with a few exceptions which will come into force in 2021.
Given that e-commerce scams have been rising – something the pandemic has played its part in – the new reform is expected to provide an extra layer of security for customers.
In April of this year, the fraud attempt rate based on transaction value increased by 13% compared to the corresponding month in 2019, according to analysis by ACI Worldwide published on Retail TouchPoints. This emphasises the timeliness of the SCA regulation.
But with the new cut-off time quickly approaching, Galdikas is concerned that many are still overlooking the “true impact” of the new laws.
He said: “Businesses and PSPs were not ready to handle the high volume traffic alongside setting up the new safeguards, hence the EBA’s permitted delay. Yet a number of them, mostly SMBs, are still unaware of the SCA’s true impact on their activities.
“What should not be overlooked is that SCA encompasses not just 2FA, but much more, including dynamic linking and proper messaging to the customer about operations being authorised.”
Although he stressed that SCA compliance should be at the top of everyone’s mind, he admitted that many vendors are still wrestling with the consequences of the COVID-19 pandemic, and trying to raise profits after months of imposed lockdown.
The European Commission’s refusal to further delay the SCA rules for online transactions could cost merchants up to €90 billion in lost sales for 2021 alone, said payments consultancy CMSPI, fuelling the feeling of “kicking retailers while they’re down”.
That being said, global e-commerce retail sales are on the up. The aforementioned ACI Worldwide analysis found that sales were up 209% year-on-year revenue growth.
According to Galdikas, implementing SCA-related changes is imperative in terms of avoiding the precipitous levels of fraud rising alongside increasing profits.
Yet he believes that SCA requirements failed to consider one of the major subjects – multiple transactions, which may impede the transition of payment service providers (PSPs) to SCA compliance, impacting both retailers and consumers.
When making multiple transactions from a single debit account, each payment will now need to be approved separately. However, issuing multiple PIN codes – and doing it fast – for payment verification is not that simple, and requires advanced technological solutions.
“Each payment order has a unique ID and requires distinct PIN codes to verify them,” he said. “However, generating many PINs – and fast – becomes tricky, especially for banks still running on legacy systems, which are not up to speed to SCA requirements.”
He urged merchants and PSPs to move SCA up the list of priorities to prevent transactional errors, adding ConnectPay already did so in early May by releasing an app which covers multi-factor authentication and one-tap approvals for payments, and is also the basis for numerous innovations to come.
The new SCA requirements may still be a head-scratcher for businesses, banks and consumers alike, hence the importance to give it the necessary attention to avoid vital steps being lost in translation.