Ready Or Not, Strong Customer Authentication Is Coming

SCA, strong customer authentication on smartphone

As September approaches, the deadline for EU merchants to implement Strong Customer Authentication (SCA) is looming. But according to the PSD2 Tracker, as many as 60 percent of these merchants aren’t ready.

A significant share of European merchants remain unaware of SCA, and those that are aware still need guidance regarding what they are required to do — if anything — to remain compliant when authenticating customers.

The second Payment Services Directive (PSD2) requires financial institutions (FIs) to provide third parties access to their payment data, but some countries and banks are implementing this faster than others.

Last week, U.K.-based Emerging Payments Association (EPA) published a report on the impact of SCA on the payments experience, and found that 75 percent of issuers said they would be ready by the Sept. 14 deadline. Yet this was compliance-ready, not operationally ready.

Nearly three-fourths (74 percent) of issuers expect SCA to lead initially to a decline in user experience. Additionally, they see potentially 25 to 30 percent of transactions being declined in the short term unless a compliance timeline is agreed upon. 

What Are the Issues?

Merchants must not only work with their financial institutions (FIs) to enable two-factor authentication (2FA), but also ensure that their relationships with customers remain unscathed, according to Peter Robinson, payments advisor for European retail association EuroCommerce.

The looming SCA deadline is putting pressure on card acquirers rather than merchants since the onus has been on them to make sure merchants are ready and informed. “Merchants are largely dependent on their card acquirers to inform them, liaise with them and help them achieve compliance to whatever the requirements are,” Robinson said.

Much of the confusion stems from the fact that merchants weren’t included in much of the initial discussions. “Retailers were excluded from PSD2 completely,” Robinson said. “Their views weren’t taken into account. Merchants were still waiting for answers from card acquirers as to what they needed to do.”

But it’s the retailers that are going to be affected if they don’t comply with new regulations. Transactions will be declined and conversion rates will drop if nothing changes when SCA is put into full effect.

Good News and Bad News

A potential silver lining is that the European Banking Authority (EBA) has agreed to provide a limited amount of time to let issuers become compliant with SCA.

Such a stay may grant merchants more time to catch up on compliance, but it also opens up some new challenges. “Each European state is now responsible for creating its own SCA compliance road map. What you don’t want is a fragmented approach to compliance with some member states declaring readiness and enforcing compliance when other member states aren’t,” Robinson said.

In an interview with PYMNTS, Ekata CEO Rob Eleveld explained how all the talk about exemptions and extensions just illustrates the complex ecosystem in which payments operates.

As complicated as compliance may be, any exemptions to the regulations will only prolong the inevitable. But SCA success will guide FIs in the rest of the world. “If Europe figures out a way, which I think they will, to ultimately get this implemented, it is going to influence behavior elsewhere,” said Eleveld.

The Competition

PSD2 is creating greater interoperability between banks, but that leads to competition with third parties as they offer customers more variety.  

Under PSD2, all banks are required to open their APIs. However, many banks could be in noncompliance, according to a study from Swedish API open banking platform Tink.

The FI tested 84 APIs across 12 markets, representing 2,500 banks and found that none of them complied with PSD2, and that only 69 percent of production APIs from major banks are currently available for third-party integration.

As alluded to above, open APIs mean potential increased competition from third parties. This means there is an opportunity for FinTechs like PayPal and Apple Pay, along with merchants like Amazon to become trusted payment providers.

Amazon has already earned a high degree of trust from consumers and could take share from other companies by offering Amazon Pay on other sites.