Strong Customer Authentication
How is COVID impacting SCA preparations in 2020?
Online merchants have seen their businesses turned upside down as, like all of us, they battle through a global pandemic. Nevertheless, the European payments industry is still required to bring Strong Customer Authentication (SCA) onboard in the coming year. It’s essential to ensure your business is ahead of the changes.
By Colm O’Monachain, Vice President, J.P. Morgan Wholesale Payments
The COVID-19 pandemic is shaking up business operations across the globe, on a scale we have never before witnessed. The e-commerce sector has been impacted more than most. With 48 countries implementing some form of lockdown and restricting the ability of its citizens to shop in physical locations, online merchants have seen extraordinary increases in volume. Take Europe alone: across the continent, e-commerce volumes in May 2020 are up 89%, compared with same period in 2019.1 This means that even more consumers are becoming accustomed to multi-factor authentication as they check out online. And not only that, of merchants should prepare for some online shopping habits to stick: research shows that 24% of respondents in the UK, Europe’s largest ecommerce market, suggest they will continue shopping as they do now once life returns to normal.2
As merchants grapple with the day-to-day major operational challenges they are facing, it can be easy to forget that major legislation is coming into force this year. At time of writing, the deadline for the implementation of Strong Customer Authentication (SCA) remains the 31 December 2020. Although the UK’s Financial Conduct Authority (FCA) has extended this date to September 2021, the European Banking Authority (EBA) has yet to announce a postponement. We look at how merchants should respond – and how they can make sure they are ready and prepared for the changes.
SCA – The basics
The introduction of the EU Payments Services Directive (PSD2) in January 2018, of which SCA is a core feature, is designed to try and tamp down rising levels of e-commerce fraud across the member states.
SCA is expected to boost online security by demanding two-step authentication of any purchase over €30 in the EU. Under SCA, a person making a purchase greater than this amount must provide two methods of identification, using:
· Possession (something the customer owns, such as a smartphone)
· Knowledge (something the customer knows, such as a PIN)
· Inherence (something unique to the customer, such as a fingerprint)
A theoretical customer payment journey under SCA would look like this: the customer enters their card details on their smartphone, and to complete the payment, must tap in a PIN and must also use their fingerprint to confirm their identity.
There are some exceptions and opt-out mechanisms – shoppers will be able to ‘whitelist’ favourite merchants to skip this process after the first transaction authentication is completed – but the standard SCA requirements will be in place for the vast majority of payments. Although viewed by some as a troublesome hoop to jump through, the introduction of two-factor security measures will ultimately benefit merchants as they should see higher approval rates and lower fraud.
Progress has been derailed
Prior to the COVID-19 crisis, the payments industry was making good progress towards implementing SCA within the timeframe. That situation has now changed dramatically. Some of the larger issuers and acquirers are in a relatively strong position because they had completed much of their development work prior to the pandemic. But merchants that still have to code the SCA specifications of their acquiring banks, are under pressure, for a number of reasons.
To start with, many merchants are dealing with peak volumes, and are understandably wary of making major changes to their platforms in a time of high activity. Also, a number are pivoting their businesses in order to cope with the challenges of the current environment, which is sucking up a lot of development resources. Tech staff that would have been working on SCA are now being deployed in other areas.
In a best-case scenario, it will be many months before many online merchants are able to get back to their full operational capabilities. Making major changes in the middle of a crisis is inherently risky. Doing so in a remote-working environment, while many key staff members are furloughed, is even more challenging.
Challenges with the testing period
With an implementation date of December 2020, the payments industry was working towards being SCA-compliant by September 2020, so as to be ready well ahead of the peak holiday season. As a result, regulators and other incumbents scheduled their testing windows for Q2 2020. This timetable has now been severely disrupted. Testing involves collaboration between multiple stakeholders, which is difficult to organize in the current circumstances. Unless these issues can be overcome, it is unlikely the industry can be ready in time for Autumn 2020.
Merchants should continue development work for the time being
Although the EBA is reportedly in favour of an extension, until there is an official decision, merchants are advised to keep working towards a December 2020 migration date. J.P. Morgan is doing everything it can to support our merchants in this period. For example, we are in constant contact with Visa and Mastercard to better understand their mandate around 3DSecure 2.1 and 2.2, so we can give merchants the information they need. We are also making our development resources available to support them on the tech side, as well as our regulatory intelligence. This latter part is particularly crucial. If there is an extension to the deadline it would likely be for six months, with any new migration plan likely to ramp up in March 2021, in preparation for a summer launch. With previous extensions, the regulatory bodies in individual countries were left to organize and implement their own migration plans. J.P. Morgan is helping our merchants understand the regulatory landscape in all 27 EU countries in case there is significant variance between markets. While working towards the December deadline, we are also continuing to advocate for our merchants and lobby for an EBA extension.
SCA will continue to be a positive in the long-term
We remain of the belief that SCA will be a major positive for the payments industry in the long run. Whilst there have been fears that the extra security requirements will turn customers off a potential purchase, and lead to higher rates of cart abandonment, we don’t foresee a drop-off in transactions through the 2.0 solutions. Early feedback suggests the benefits of SCA are far outweighing the initial growing pains of transitioning to the new rules. For example, we know that the Nordics were ready for SCA. The merchants we support there have told us that when they turn SCA-compliant payment processes on, they experience higher approval rates and more secure transactions.
As a regulated acquirer J.P. Morgan will continue to advise our merchants on the best ways to prepare for SCA migration so they can meet the current deadlines.
J.P. Morgan is SCA-ready
There are multiple software and security options available to bring your payments system in line with SCA demands. We can advise our merchant clients across a whole range of PSD2 and SCA-related issues. Contact your J.P. Morgan representative or call our merchant support team on:
Europe: +353 1 726 2909
UK: +44 845 399 1130