Despite progress, various parts of the payments ecosystem in continental Europe have yet to implement strong customer authentication (SCA) fully — and this is also true in the UK.
SCA was the last development of the revised Payment Services Directive (PSD2) to have to come into force in the EU. It was also one of the most difficult steps for countries to take, with various national regulators ultimately opting to dodge the European Banking Authority’s blanket compliance deadline of December 31, 2020 and instead pursuing a “ramp-up” strategy of implementation in stages.
“SCA compliance success depends on where you look. For merchants in the EU, it is not business as usual. As with issuers, they are in the settling-in stage still,” said Lee Goddard, head of authentication at Worldpay.
Goddard thought that even sophisticated merchants could have problems with SCA and expected her company to be organising presentations and communications on the subject next year and even beyond.
Dean Jordaan, payments director at Microsoft, pointed out that “we are living the reality of this new technology and rules”.
Jordaan noted that there had been some improvements in “authentication performance” and that different merchants were now trying to minimise SCA’s negative effects.
“People are not complaining as much as they were, as it was originally about sounding the alarm. Now, attention has shifted to monitoring and minimising the impact.”
Others, however, are striking a more positive tone when it comes to the implementation of SCA.
“Progress with SCA has been quite good and usage has increased significantly. We’re talking about going from single digits to high teens in terms of SCA transactions and that increase is really good,” said one source based in the EU.
“There have been bumps, of course, but that has depended on what people’s expectations were. In Spain, for example, people expected the end of the world and a disaster for e-commerce, but this hasn’t materialised and fraud has gone down. This has been quite a positive development.”
The source continued that the market was now returning to the state that it was in during the days before SCA, claiming that improvements had occurred.
“And the ramp-ups that were implemented in different member states allowed time for issuers to have something in place, but it can’t yet be distinguished whether bumps in the value chain were triggered by COVID-19 or SCA. That already gives a hit in conversion rates, as some of the larger e-commerce platforms in Europe are not the most digital-savvy, so consumers can struggle with them.”
Jordaan, meanwhile, said that conversion numbers were consistent but not necessarily good.
“Now, Microsoft is looking at how it can use payment methods such as PayPal to cushion the blow of SCA on conversion rates,” he said.
Others, who work with merchants in the EU, have already hinted at this, pointing to the rise of payment options such as buy now pay later (BNPL).
As BNPL transactions do not necessarily come into the ambit of PSD2, merchants can circumvent the directive’s security-related rules.
One source told VIXIO in April that the 3D Secure (3DS) process that card schemes are pushing as the route to SCA compliance could put off people who are not familiar with it.
Despite the woes that the ecosystem has experienced with implementation this year, the European Banking Authority has been “talking up” the things that SCA has done to reduce fraud in the EU. In a report that it released in June, the authority noted that during the period between June 2020 and April 2021 the average value of fraudulent transactions across the EU decreased by approximately 50 percent, from 0.12 percent to 0.06 percent, for issuing payment service providers (PSPs) and by approximately 40 percent, from 0.17 percent to 0.10 percent, for acquiring PSPs.
Despite this, some wonder whether the results have been a success for consumers, who may now find themselves struggling with compliant but confusing processes.
“Before SCA, the question to be asked is what impact fraud has had on businesses. For example, losses from fraud at Microsoft were not significant. However, SCA has cost a lot in sales, and that has meant the medicine has been worse than the cure,” said Jordaan.
Another source, based in the EU, said: “When it comes to fraud, an analogy is that it is like squeezing a balloon. In that sense, payment fraud will still happen in spite of SCA. We can expect fraudsters to turn their attention to different geographies, as well as different parts of the value chain.”
What about the UK?
The UK still had to obey the EU’s rules when PSD2 was introduced and it has embraced the EU’s reforms in many ways, as shown with the success of open banking and the growth of fintech.
However, it has since diverged from mainland Europe in respect of SCA.
As of March 14, 2020, firms do need to comply with the SCA rules with respect to online and mobile banking. However, card-based transactions are yet to be included. Although they were supposed to be included by September 14 this year, the UK’s Financial Conduct Authority has since pushed the implementation deadline back to March 14, 2022.
The extension has left market participants pondering whether the delays will allow the UK to be better prepared than its continental neighbours.
“The UK already performs SCA on a lot of transactions. It is a more mature market in that sense,” said the EU-based source, who predicted that the implementation of SCA would eventually resemble the millennium bug and turn out to be quite anti-climactic.
“Issuers and merchants alike already have quite a good idea of what they are going to do,” he noted.
Jordaan agreed that the UK was still performing considerably better than the rest of Europe, although he wondered whether this would continue to be the case.
“One thing that UK banks have done better than the rest of Europe is take risk-based decisions. This means they’ve kept their challenge rates low and are granting frictionless authentication approval.”
Goddard, however, noted that the achievement of all the demands of PSD2 was “a big ask” for any market. She thought that the UK would have to work hard to complete the task, adding that all stakeholders in the ecosystem “have the responsibility to come to the table on this”.
She said: “Merchants who have worked cross-border are likely to have handled timelines already and are familiar with the duration needed for things to stabilise. They know that 3DS is not a once-and-done and that the process of bedding in is more likely.”