Retail isn’t ready for Strong Customer Authentication, says research

Strong Customer Authentication will soon be needed for card payments thanks to new European regulations. The changes, which come into force in six weeks time, are as significant as the introduction of Chip and PIN and will have negative impact on retailers and customers, particularly for eCommerce purchases. The reason for the regulatory changes is that eCommerce card fraud now accounts for £310 million annually and action has to be taken to prevent the continual escalation of losses. Retailers need to accelerate their plans to be SCA compliant or face the real risk of loss of revenue and customers.

A detailed report is now available from the Emerging Payments Association (EPA) with clear recommendations for retailers to follow.

Key research findings

The EPA asked UK card issuers about their state of readiness and how they expect to treat card transactions after the 14 September 2019 compliance deadline. We found that issuers would not be operationally ready for SCA by September and that they would be unable to support the full range of exemptions. Over 70% of issuers said that SCA will initially lead to a decline in user experience and 58% felt that too much friction is being applied.

Issuers confirmed that as regulated entities they will be forced to decline transactions if they have not been authenticated or supplied with an exemption indicator. Currently they request a step-up authentication for only 2% of online transactions, but this will jump to between 30% and 50% of transactions and the current 3% transaction decline rate is forecast to increase to 25-30% unless a managed rollout can be agreed. Issuers reported they expect to decline 70% of direct to authorisation transactions, without an authentication, thanks to the new SCA regulations.

One of the key ways to securely authenticate customers is through the implementation of 3DS technology. The other main authentication approaches issuers are planning to use are One Time Passwords (OTP) which will be sent primarily by SMS, authentication within a mobile banking app and the use of biometrics particularly finger and facial recognition. Each issuer will make their own choices and so a variation in user experience must be expected.

3DS adoption

Many retailers have long and unhappy memories of 3DS and remember the high basket abandonment rates, poor user experience and the slow transaction speeds. Thankfully a completely new version of 3DS is now available (3DS v2) which addresses all of the previous concerns and this is what all retailers who sell online need to be implementing. Currently only 5% of UK merchants have 3DS v2. The 50% of retailers using 3DS v1 need to plan upgrades to 3DS v2 during 2019. The optimum version of 3DS for merchants to use is v2.2 as this supports all of the allowed exemptions, however it is unlikely to be widely commercially available until late 2019. In addition to delivering SCA regulatory compliance 3DS helpfully provides retailers with fraud liability protection.

Roadmap to compliance

Our research findings highlight that additional time is needed before active enforcement and issuers start declining transactions for lack of SCA reasons. We found that no part of the payments ecosystem is well prepared for the 14 September 2019 deadline and that unexpected negative consequences will result if more time is not made available. Merchant awareness levels remain very low particularly amongst SMEs. Issuers also need to improve their records of customer mobile phone numbers and email addresses so they can send them authentication requests.

The Financial Conduct Authority (FCA), whose role it is to enforce SCA in the UK, acknowledge that the UK is not ready for SCA and have tasked UK Finance, the trade association representing issuers, acquirers and schemes, to prepare a managed roadmap. This industry plan proposes at least 18 months of additional time to allow stakeholders to be fully ready. The roadmap migration plan has multiple milestones to check appropriate progress is being made. The current expectation is that the FCA will agree to the roadmap on the 14th August 2019 and so alleviate ‘the cliff edge’ scenario when issuers felt compelled to start declining large volumes of transactions. Further time, beyond the 18 months, may be needed for long-term strategic solutions that make greater use of biometric data and for specific sectors with complex use cases such as hospitality and travel.

Other European national competent authorities are currently considering similar plans in order to ensure a consistent enforcement approach is applied across the region. Retailers are pushing for the alignment of dates otherwise they will see lots of confusion and declines from multiple variations and strategies.

Next steps

We await the decision from the FCA and other European competent authorities and hope that they will agree to a SCA migration plan. Each retailer should ensure they have a detailed 3DS implementation plan in place and offer this service to their customers as soon as possible. Doing nothing is not a sensible option.

A UK programme management office is being formed to help co-ordinate activities. This will establish a communication programme to ensure consumers and merchants receive consistent messages.

In addition to implementing 3DS v2 retailers also need to support updated authorisation message formats that support the required SCA flags and indicators. Payment terminal software also needs to be updated to correctly handle step-up authentication requests for contactless transactions.

Retailers can download this white paper from the EPA website. The report includes 10 helpful recommendations.

Mark McMurtrie is an award winning independent payments consultant who provides advisory services to retailers on payments strategy, regulatory compliance and supplier selection. He is an ambassador of the EPA, member of Vendorcom, awards judge, conference speaker and chairman of the RetailEXPO Payments Stage.