.svg)
After a delayed introduction, the UK has implemented the strong customer authentication (SCA) rules, but experts continue to express concerns about the impact they will have on fraud alongside lost sales from card abandonment.
As of March 14 this year, retailers with an online presence were required to adhere to SCA rules, following a ramp-up period from January 18 when card issuers began to decline some non-compliant transactions.
Although it is still early days, people familiar with the SCA process in the UK are beginning to consider what has gone well and what is not going to plan.
“The SCA Sprint was set up so that all issuers could be ready to have all transactions comply with PSD2 rules by the deadline and we believe most of the issuers were ready, with a few exceptions such as smaller issuers,” said a spokesperson for Okay, the payments fintech.
However, in the first month of SCA, there were concerns noted by institutions such as Barclays Payments, which warned that merchants lost as much as £130m through card abandonment and transaction failures, due to merchants not being fully compliant.
This is significant and shows that the transition has not been entirely smooth, commented the spokesperson.
"Prior to the start date, there was a long period of time for users and providers to acclimatise to the new requirements of SCA,” agreed Rob Griffin, chief executive of authentication service MIRACL.
“But despite this, it is clear that when we did pass the formal SCA launch date, there was a meaningful drop in transactions, first from non-compliant transactions being rejected and second from increased friction causing aborted purchases,” he said.
Griffin added that there only needs to be a relatively small percentage of providers who are tardy in implementing the requirement for it to be a tangible shock to consumers when it arrives. “The data that has emerged so far shows there has been an increase in transactions that have been aborted due to greater friction.”
The delays were set up so that the entire payment ecosystem could get ready, the Okay spokesperson told VIXIO. “However, even though issuers were mostly prepared, a significant proportion of merchants had not made any changes to their 3DS access control servers so that they could perform SCA compatible operations and benefit from exemptions.”
David Jeffrey, product director at Barclays Payments, told VIXIO that the lack of compliance may be down to the shifting of the regulatory deadlines.
“The delay in businesses complying with the regulation, I believe, has been caused by the changing SCA deadlines over the last two years, mostly driven by the pandemic,” he said, adding that some businesses were waiting for SCA to become mandatory before they actioned any plans, while others such as those with operations in Europe are likely to be furthest ahead, considering the December 2020 deadline on the continent.
In tandem, Jeffrey said that his team are hearing from businesses that they are monitoring their sector to identify the impact SCA will have and then deciding on their approach. “However, it is imperative that all businesses which take payments online act now to avoid losing customers to their compliant competitors.”
“Preparing for SCA has proved complex and challenging, especially as businesses try to comply with the new regulation without adding additional layers of friction to the check-out,” he said, stressing the need to partner with the right payments acquirer.
Griffin, however, urged for caution when looking at the results seen so far. “It is a little bit early to say, and the data is still embryonic.”
Looks phishy?
The SCA rules were not set up to simply make buying online harder. Rather, they were intended to instil a safer payments environment for European consumers.
This has meant that both the market and the authorities are keen to see how effective SCA has been in bringing down fraud levels. On the continent, both the European Banking Authority and Banque de France have both said that they are satisfied it is having a positive impact there.
There have also been some positive early results in the UK. For example, Nationwide, the country’s largest building society, published data earlier this month showing that it was now seeing 2,000 fewer cases of fraud per month as a result of SCA.
"One of the things we have to look at is payments being stopped. But the question is, are they being unnecessarily stopped or are we preventing more fraud?” commented one senior fraud and compliance source familiar with the SCA implementation.
SCA could be preventing fraud, she continued, but retailers do not know whether it is fraud or not, so the message is not getting through.
"The issue is, how do you find out? It is very unlikely that people are going forward and investigating. Nobody will investigate these things, and you will see consumers wanting to buy, then frustration being amplified."
One of the largest root causes of payments fraud over the years has been online card-not-present fraud. SCA was partly introduced to tackle this type of fraud.
But inevitably, the risk of fraud never goes away as fraudsters shift targets and adapt.
For example, the UK's attention is currently elsewhere trying to deal with the unrelenting rise of authorised push payment (APP) fraud, a type of phishing.
This is a fraud issue that cannot be solved by SCA on its own.
"SCA is looking to tackle fraud where someone who is using an account isn't who they're supposed to be. In comparison, the problem with APP fraud is legitimate account holders have been tricked into sending a payment,” said the source.
Legitimate account holders will always pass the checks, the source pointed out, noting that SCA has not been designed to tackle this issue and, fraudsters being fraudsters, are likely to switch their targets.
"I think you will find that the methodologies for exploiting and providing opportunities for fraud will be experimented with over the next six months, and it is clear that social phishing techniques make One Time Passwords highly vulnerable,” said Griffin. “I do think that it is really troubling for users that, despite having been through extra friction to complete their transaction, in the end, they are still subject to fraud."
The elephant in the room remains that of phishing, he commented, agreeing with the source that the SCA rules provide no assurances for consumers.
For Okay, this is an area where action needs to be taken.
“Digital ID combined with SCA will be an extremely powerful solution to counter this type of fraud,” the spokesperson said. “But the UK is not there yet.”
The solution could be in place soon, however.
The UK government has now committed to creating a form of verifiable digital identity, as well as better consumer protections for those who fall victim to APP fraud.
