The European Payment Institutions Federation (EPIF) has called for a delay to the implementation of Strong Customer Authentication (SCA) of at least six months in a letter dated 24 April 2020, to the European Banking Authority.
While EMV 3DS implementation is progressing across Europe, it is now clear that the COVID-19 crisis has significantly reduced the capacity available to progress Strong Customer Authentication development and implementation.
EPIF’s letter noted that: “The signatories have invested considerable resources to meet the deadline for completing the implementation of the Strong Customer Authentication (SCA) requirements under PSD2.” It went on to say: “Our members are working hard to be ready to comply with their legal requirements pertaining to SCA by December 2020.”
The letter said, “The exceptional circumstances of this disease is putting an additional strain on the limited resources for all parties involved in the payment chain. During the pandemic, companies have had to focus their efforts on business continuity, prioritising business critical activities targeted at maintaining stability and supporting consumers though the crisis.
Many have had to change their operations to service new and pressing customer needs which, in many cases, includes relaxing their normal business terms. This all requires redeployment of resource to manage this activity and the governance and controls surrounding it. For many merchants, this also has to be delivered by a reduced workforce through layoffs arising from falling revenues and necessary social distancing measures.
“Consumers are relying on e-commerce more than ever, and therefore maintaining product availability and ensuring a smooth and friction free customer journey, with these increased volumes will be the priority of technical teams.
Given these pressures, merchants cannot accommodate any additional risk of payment disruption. Making technology changes when in crisis mode, with technical teams working remotely, adds significant risk to any deployment which could lead to further disruption, confusion and a worse customer experience. This is an unnecessary additional challenge when consumer confidence is at an all-time low, and non-food online sales are already depressed, and may lead to operational overload for already strained call centres.”
The payments ecosystem involves a high number of dependencies and, EPIF said, parties must work together to implement Strong Customer Authentication. “The constraints the current crisis places on the roll out of SCA technology severely limits the time available for participants to test together, which is essential to a safe and controlled implementation. Critically, the time lost during lockdown will not be able to be recovered later in the year due to system freezes pre-peak trading. Avoiding disruption is even more critical this year as this will coincide with the early stages of economic recovery.”
However justified this request might be given the current circumstances caused by COVID-19, it may be shortsighted and will ensure that payments companies pay more down the line. First of all, e-commerce has been booming due to an enormous number of transactions moving online given the ongoing global self-isolation requirements. This increase in volume of online purchases, coupled with an influx of many new, inexperienced e-commerce users, is a perfect reason for fraudsters to ramp up their activity.
Consumers who are new to buying most of their necessities online are also more likely to be trusting of various sources than those used to e-commerce. A particular example would be the elderly, who now have to order their groceries online. These consumers will be easy targets for fraudsters.
Saving money now on implementing a new security technology will pale in comparison to the higher price needed to be paid in the future by payment companies to reimburse fraud victims who could have been protected had SCA been in place. Not only will companies lose money directly, but potentially also the trust and loyalty of consumers following fraud attacks.