The long road to SCA: Key learnings from Europe

PSD2 introduced the need for SCA, but implementation has been a long journey and several deadline extensions reflect the low levels of market readiness and the disruptions caused by COVID-19.

Strong Customer Authentication (SCA) has the potential to reduce e-commerce payment fraud in the same way that Chip & PIN secured face to face card payments.

New research findings, highlights of which are below, will help organisations use the remaining time wisely and ensure cardholders are not negatively impacted.

The FCA has recently completed a consultation on SCA and the underlying Regulatory Technical Standards and updated its Approach Document on this topic.

To recap, Strong Customer Authentication (SCA) ensures the authenticity of a customer by using multi factor authentication (MFA) to confirm that a customer is genuine.

Two separate elements are required to check a user’s identity, and these must come from possession, knowledge and inherence categories.

The PSD2 regulations set out the need for payment system users to be authenticated in accordance with Regulatory Technical Standards (RTS).

SCA is being introduced to tackle e-commerce remote purchase card fraud which according to UK.Finance, data has grown by 170% since 2011 to £376 million in 2020.

SCA has had a long and chequered implementation period. The European Banking Authority (EBA) originally planned for SCA to be enforced throughout the European Economic Area (EEA) by 14th September 2019, but due to a general lack of market readiness, clarity on the underlying standards and the impact of COVID-19 the Financial Conduct Authority (FCA) agreed that this could be extended until 14th March 2021, then to 14th September 2021 and finally until 14th March 2022.

Continental Europe was also given additional time but only up to the 31st December 2020, unless a national ramp-up plan was agreed.

The final deadline for enforcement in major European countries after the completion of ramp-up plans were:

• 1st March in Spain
• 15th March in Germany
• 1st April in Italy
• 15th May in France
• 1st July in Ireland

This research identifies the lessons that can be learnt from continental Europe, the best practices that can be followed in order to minimise customer friction and the early impact SCA is having on fraud levels.

It also set out to discover the latest UK market readiness status, the remaining challenges and barriers that must be overcome, the technologies and exemptions that offer the greatest potential and the expectations and priorities for the next two years.

The introduction of SCA has required all entities within the payments value chain to make changes on how they process a card payment transaction with authentication now needing to be completed prior to funds authorisation.

Therefore, merchants have had to develop appropriate authentication strategies including supporting 3DS; gateways were required to upgrade their service to the new EMV 3DS2 standards; acquirers needed to manage exemptions and fraud rates; networks have had to update rules, directory servers and provide communications to all parties; and issuers needed to authenticate cardholders, apply exemptions and enhance their risk controls.

The SCA-regulated entities are the issuer and acquirer and they are required to demonstrate their compliance to National Competent Authorities (NCA), which in the UK is the FCA.

To read the full report CLICK HERE