Published Friday 17th May 2019
Secure Customer Authentication (SCA) is coming fast, and with many businesses naturally focused on managing the uncertainty of Brexit, some may struggle to plan thoroughly enough to avoid losing web sales when the September deadline arrives.
SCA requires the cardholder to provide two out of the three things, shown in the graphic below, to authenticate their identity for each transaction. Biometrics are convenient for mobile transactions; however, the fall-back method will be 3D Secure (3DS, branded as Verified by Visa, MasterCard SecureCode and American Express Safekey). As the launch of the new 3DS version in April approaches, we are seeing different approaches and preparedness across the gateway market.
By September, 3DS will be the mandatory fall-back for online payments; however, this does not mean that every transaction will require cardholders to input three digits from a password that they have probably forgotten. With the current version of 3DS, only 5% of 3D Secure transactions require password input. The new version (3DSv2.0) aims to match that level, but it depends on both the merchant and the payment gateway providing sufficient information for effective risk assessment by the card issuer.
Inside sources believe that businesses which continue to use the old version after September 14th may see passwords required in around 50% of transactions, which could lead to a significant loss of profitable sales. The ideal, of course, is to require cardholders to authenticate themselves only when a transaction is highly risky. The regulation allows for some exemptions which may enable this to happen.
How does the consumer feel about it?
FICO, the data analytics company, has researched consumer attitudes and responses to various types of authentication. Their findings suggest that UK consumers perceive payments to be secure and do not want the friction and delay of authentication. Therefore, gateways need to manage transactions and optimise the use of exemptions actively. Where security steps cannot be avoided, they should offer the consumer attractive and easy ways to confirm their identity. Some gateways have already developed engines to do just this. Others tell us that they are ‘looking at their strategy’.
How important are gateways?
The quality of the gateway solution will be vital to achieving online transactions from September. But that is just the start. The go-live version of 3DS will quickly be updated to offer smoother transactions. Telephone transactions will be brought into the authentication net under a version already undergoing industry review. We will aim to publish further information and updates on SCA in the coming weeks and months, so we would recommend keeping up-to-date with our company blog; though naturally, the action needed will differ from business to business. It is, therefore, important that every organisation consults with a professional to understand how their company will be affected by these changes.
About the Author: Paul Davidsonis a leading member of ERA’s European Banking and Payments Team having joined ERA in 2005, after a 25-year banking career. Paul has delivered consistently for ERA’s clients and was named ERA UK’s Consultant of The Year in 2013.
(+44) 07939 127303
(+44) 020 8309 7075