Does SCA Settle Consumer Angst?
European regulations may sometimes be slow, but their force is to change the world and change the behavior of the rest of us! One of the most visible aspects of the PSD2 (Second Payment Services Directive) voted in 2015, is the evolution in digital commerce authentication from 3D Secure to SCA (Strong Customer Authentication).
The PSD2 encompasses various goals, from bringing more competitiveness in the banking and financial industry, thanks to Open Banking, to improving security and consumer protection in payment transactions. On the latter, PSD2 requires that a multi-factor authentication is completed for every financial transaction, regardless of payment methods. For instance, by default, payment in Chip-and-PIN mode with a contact card is fine, while payment without PIN presentation in contactless mode is not. More complex are the issues relating to online transactions: 3D-Secure, the system that relies on sending a code by SMS to cardholders when they complete a transaction has been in existence for years but has now reached its limits: a significant fraud level, and a high risk of shopping cart abandonment due to the process complexity, at least as felt by the consumer.
The European Banking Authority decided that SCA should be enforced on January 1st, 2021, but national authorities decided on more relaxed deadlines: March 2021 in Germany, April 2021 in Belgium, May 2021 in France and September 2021 in the UK and Switzerland (which are part of the European Economic Area).
While the principles are straightforward, exceptions abound! Deadlines are different according to countries, thresholds define the need for strong authentication or not, some merchants or payment situations require more or less authentication, etc. Payments below EUR 30 are considered “low value” and may be exempted from SCA. Recurring payments, such as subscriptions can be exempted too. And customers may have the option to define a list of trusted beneficiaries to whom they will make payments without having to go through SCA. Also, phone sales, known as MOTO (Mail Order Telephone Order) will also be exempted from SCA as there is no means to execute a multifactor authentication.
As issuers now get a lot more information than with 3D Secure, they are able to make a real-time decision for each transaction whether to allow an exemption to SCA or not, based on all the data they have kept on file and gathered through an online transaction process. The effect of these exemptions combined with real-time decisions made by the issuers or other stakeholders along the payment chain make payments extremely opaque to cardholders.
It took years to get consumers to accept Chip and PIN, and the payment community had to run multiple campaigns to ingrain in their minds that their security was relying on the PIN presentation. Then, when contactless cards came in, we had to spend lots of efforts to make consumers change their mindset: they could make contactless transactions without PIN but still be in security. Things started to become more complicated for consumers when they realized they could perform some quick and easy contactless payments but sometimes they were required to insert their card and type their PIN, due to floor limits, cumulative transaction value limits, random checks, etc. all parameters too complex to be explained to the average consumer.
For online payments, the industry took years to familiarize users with 3D-Secure and lead them to the habit of having their phone nearby when they make a payment, and reading and typing an authentication code. Now, with SCA and its exemptions, consumers will have no chance to understand when they are required to go through a multi-factor authentication and when they are not. We all know confidence is the foundation for trust in payment systems. By setting up a payment environment beyond the comprehension capacities of end-users, we are downgrading their level of confidence.