Strong Customer Authentication (SCA) – the latest security standard in the EU’s payments regulation – has been keeping market players on their toes. Business readiness to support it is becoming an increasingly pressing matter due to the rapidly approaching enforcement deadline, as well as rising levels in e-commerce fraud.
Strong Customer Authentication, or SCA, has officially gone into effect on the 14th of September, 2019. However, with the market being unprepared to roll out the necessary changes till the priorly set date, the European Banking Authority has pushed the final deadline to 31st of December, 2020, with a few exceptions for an even later time in 2021. As the cut-off time approaches, so is the moment of truth: has the extended period enabled market players to adapt to the new regulation?
For those out of the loop, the SCA law states mandatory two-factor authentication for all online transactions and contactless payments made within the EU. Given the fact that, globally, e-commerce scams have been rising – the pandemic has played its part in the matter – the new reform is expected to provide an extra layer of security for customers.
In April 2020, the fraud attempt rate based on transaction value rose by 13%, compared to the same timeframe in 2019, emphasizing the favorable timeliness of the regulation. However, without proper preparation on both ends of the transaction, the enforced requirements are likely to result in increased friction, rather than weeding out scammers.
Marius Galdikas, CTO at ConnectPay, notes that there are still many questioning why and how exactly will this affect them. “Businesses and PSPs were not ready to handle the high volume traffic alongside setting up the new safeguards, hence the EBA’s permitted delay. A number of them, mostly SMBs, are still unaware of the SCA’s true impact on their activities,” he stated.
To reduce the number of confused shoppers, declined payments, and abandoned shopping carts, Mr. Galdikas advised getting on the path of SCA compliance should be the north star of every vendor’s current roadmap to prevent losing a great deal of sales. “What should not be overlooked is that SCA encompasses not just 2FA, but much more, including dynamic linking and proper messaging to the customer about operations being authorized.”
Although SCA compliance should be at the top of everyone’s mind, it is overshadowed by the current global landscape. Vendors are still wrestling with the consequences of the pandemic, trying to raise profits after months of imposed lockdown, and, with the deadline closing in, some described this European Commission’s law as “kicking retailers while they’re down”.
That said, in April the global e-commerce retail sales reached 209 percent year-over-year revenue growth. According to Mr. Galdikas, despite the adverse circumstances, implementing SCA-related changes is imperative in terms of avoiding the precipitous levels of fraud, rising alongside increasing profits.
And yet, there are a few moments the policy failed to observe, for example, making bulk payments – transactions to multiple beneficiaries from a single bank account – and the intricacies concerning their approval. “Each payment order has a unique ID and requires distinct PIN codes to verify them. However, generating many PINs – and fast – becomes tricky, especially for banks still running on legacy systems, which are not up to speed to SCA requirements.”
Mr. Galdikas noted the urge to move SCA up the list of priorities for merchants and PSPs to prevent transactional errors, mentioning ConnectPay has already done so in early May. It released an App, which covers multi-factor authentication and one-tap approvals for payments, and is also the basis for numerous innovations to come.
The new SCA requirements may still be a head-scratcher for businesses, banks and consumers alike, hence the importance to give it the necessary attention – to avoid vital steps being lost in translation.