.svg)
The implementation of strong customer authentication (SCA) has been a bumpy road but experts are still divided in their views on whether it has been worth it.
Speaking at the MPE 2022 Berlin conference, Catherine Malec, general manager EMEA of Accertify, blasted SCA for solving only one type of fraud and failing to look at the problem holistically.
“If we look at online payments specifically for SCA, you could argue it worked. But it is a little bit like washing an elephant through a microscope,” she said.
“The bit that you see and could see, you cleaned. But when you take a step back, the fraud hasn’t reduced overall.”
In the UK, although unauthorised online payment fraud has noticeably reduced already in the first months of full SCA implementation, other types of fraud has surged. For example, authorised push payment (APP) fraud continues to grow. According data published last week by UK Finance, there were 195,996 incidents of APP scams in 2021 with gross losses of £583.2m, up from £420.7m in 2020.
At the same time, account takeover fraud and refund abuses also increased.
“SCA had a lot of benefits but we have to qualify those benefits,” Mark Barlow, chief product officer at fraud prevention company Ravelin, agreed, pointing out that some of the fraud did move somewhere else.
One of the opportunities in the upcoming review of PSD2 is to look at fraud as a “holistic problem”, Malec added.
Although SCA has been painful at times, David Jeffrey, product director at Barclaycard Payments, believes it has been worth it.
“It does come at a heavy cost and a heavy burden, but I genuinely do think it’s a great catalyst for things to come,” he stressed.
It has changed how merchants think about security and consumer experience, and could serve as a basis for further innovation, Jeffrey argued.
“It can be turned into an advantage.”
A bumpy road
While debates may rage over whether the benefits of SCA outweigh the costs and burdens, merchants and the wider payment ecosystem have nevertheless had to go through a bumpy road since the implementation of SCA was mandated.
Foreseeable, and other times unintended, consequences of SCA have had a financial impact on businesses, affected customer experience and spiralled to the wider payments ecosystem.
In addition to bearing the costs related to both the development and the maintenance of SCA-compliant processes, the new friction led to an uptake in cart abandonment.
From the customer's perspective, the payment process has become longer, sometimes taking 40 seconds, according to Barclaycard.
There has been significant friction caused by technical failures and overall payment cancellations, while customers became more exposed to phishing campaigns.
In general, it caused revenue losses for businesses, an increase in the number of complaints related to payments and issues around alignment across markets, such as different approaches to implementation in the EU and the UK.
“So are we there yet? Obviously not,” Jeffrey said. Nonetheless, businesses are now over the first sprint to achieve compliance and they have reached the phase when they can start to optimise SCA processes.
An opportunity to fix PSD2
These issues have not remained unnoticed by regulators. The European Commission launched a consultation to understand what impact PSD2 had on the market, providing an opportunity for regulators to fix any unintended negative consequences of the directive.
For instance, in its 126-page long response to the consultation, the European Banking Authority advocated in favour of merging PSD2 and the Electronic Money Directive (EMD2).
Although some experts would like to see the lessons learned to be incorporated into the form of more prescriptive regulation, instead of a directive, others would favour an outcome-based approach.
“If you think about PSD2 generally, they are very restrictive rules,” Paul Adams, general manager at Barclaycard, stressed.
“I’m not sure PSD2 has really talked about a specific outcome. It might have reduced fraud but what, and to what end and with what loss, and what are the false positive indications?”
“I’d love to see outcome-based rules, such as ‘what are we shooting for’, and allow the industry to find different ways to get to the endpoint,” he added.
The European Commission's consultation closed on Tuesday (July 5).
