The EU strong customer authentication requirements have evolved over time with the publication of various drafts and clarifications by the European Banking Authority. They are essentially written by lawyers for lawyers and devised at a European level but implemented locally. Unsurprisingly, various myths have developed around strong customer authentication (SCA). We dispel them in this blog.
It doesn’t apply to me
If you’re selling to customers in Europe and the UK, the strong customer authentication requirements under the revised Payment Services Directive (PSD2) more than likely apply.
From 31 December 2020 in Europe (and 14 March 2021 in the UK), every electronic transaction will require strong customer authentication, except in a very few cases. The main one is if your payment provider or that of the cardholder is based outside the European Economic Area (EEA). These are so-called ‘one leg out’ transactions.
However, European Economic Area (EEA) customers trading with EEA retailers are invariably backed by EEA payment providers, so fall within the scope of the requirements.
There is no specific fraud issue in my market
The nature of shopping habits, lifestyles and technology is changing. And unfortunately, so is fraud.
Customers are shopping more and more online.
Since the adoption of EMV chip technology in physical stores, fraud has migrated to remote channels. Criminals target the weakest link.
At the same time, consumers are increasingly shopping online. 71% of internet users in the EU shopped online in 2019. And 35% of e-buyers made purchases from sellers in other EU countries, compared with 2% in 2014, according to eurostat.1
So, if you’re not ready for strong customer authentication by the implementation deadline, you could quickly find yourself the weakest link — irrespective of whether or not you have a current fraud issue in your market.
It is not that much more secure
Two or more factors are better than one. That’s the idea behind strong customer authentication, also known as multi-factor authentication.
This comprises two or more of: something a customer knows (e.g. a PIN or password), something they have (e.g. a device or token) and something they are (e.g. fingerprint).
The new strong customer authentication requirements move away from static passwords, which are both easier for fraudsters to compromise and customers to forget.
The roll-out is Europe-wide and does not depend on individual customers or retailers enrolling, which helps protect online payments across the region as a whole.
Not everyone is migrating
In the UK and every European country, providers are getting ready for the new strong customer authentication requirements.
The implementation deadlines of 31 December 2020 in Europe (and 14 March 2021 in the UK) are fast approaching. All merchants, acquirers, gateways, issuers and payment service providers must be ready to support strong customer authentication.
E-commerce transactions that are unable to be authenticated or those without exemptions will be declined after the implementation deadlines.
There are no strong customer authentication solutions
All types of strong customer authentication already exist in market or are in development.
PXP Financial’s ANYpay gateway already supports both 3DS 1.0 and 3DS 2.0 and is certified with the main international card schemes to that end. This means we can automatically use the 3DS version supported by the cardholder’s issuer.
We have also devised strong customer authentication policies for processing online payments to suit all merchants, sectors and geographies. Our ANYpay online developer hub also contains various integration guides, API references, examples and test scripts and is publicly available at https://developer.pxp-solutions.com.
If you cannot find a solution for a particular merchant sector, contact us. We may be able to help by reviewing our policies and proposition, plus work with business partners to deliver solutions.
I’m willing to take the risk of sales on my website
That may have been the case in the past. However, the new strong customer authentication requirements change the e-commerce model for card payments.
Whereas the decision to adopt 3D Secure and submit payments for authentication by the card issuer was largely optional and managed contractually between merchants and their acquirers. From 2021, strong customer authentication will be compulsory for every e-commerce transaction, unless an exemption applies.
The responsibility for authenticating customers will sit with service providers (issuers and acquirers in the case of card payments), not merchants. Online commerce will no longer be about merchant acceptance of risk.
For more information or a consultation, e-mail sales@pxpfinancial.com or complete your details on the contact form below.
1 E-commerce statistics for individuals, eurostat, January 2020, https://ec.europa.eu/eurostat/statistics-explained/index.php/E-commerce_statistics_for_individuals#E-shopping:_biggest_increase_among_young_internet_users
