Strong Customer Authentication: what happens next?
Since the implementation of PSD2, this week's Strong Customer Authentication deadline has been penned into the diary of the payments industry. But now an 18 month delay has been announced in the UK.
Simon Chandramani, VP of Sales, Card Processing, Paysafe, Europe, explains why a delay to the SCA implementation deadline was nececessary, and how merchants should be thinking about implementation of 3DS2 between now and March 2021.
With half of EU member states implementing a transition period for SCA, do you expect others to now follow suit?
Yes, we would expect other EU member states to follow suit. It's clear that across Europe the ecosystem is not ready for SCA whether that be customers, merchants, issuers or even acquirers. The world of eCommerce is not limited to national borders so to ensure a fully functioning payments world we need regulators to act in lock step.
Is it a good or a bad thing that these periods have had to be put into place by NCAs?
While any delay is never ideal, the reality is that no extension could have been very problematic for the online retail industry. The value of card transactions that would have been blanket declined for not being SCA compliant on September 15 could have potentially run into billions of pounds, so it is a relief that the FCA and other national authorities have taken a pragmatic approach to implementing SCA and are listening to the needs of the market.
Have you seen a real need for this transition period from the industry?
Absolutely. Customers are rightly very sensitive to the possibility of fraud and could be alarmed at the presentation of the new journeys required as part of PSD2, leading to cart abandonment. Couple that with the fact that so few customers have valid mobile numbers registered at their bank - a key component of SCA - it’s clear that a huge education piece is required to prepare customers and the market for the incoming changes.
Equally there is work to do from a merchant perspective. A large number of our merchants are already using 3DS v1 which means that they are compliant with the new rules, however there is a huge opportunity to move to an improved mobile optimised experience that leverages exemptions when using 3DS v2. This may seem like a small thing, but we’re likely to see a dramatic increase in the number of transactions which require a step up in authentication post 14th September. How this is managed then becomes key to ensuring now degradation of services while leveraging the positive fraud management aspects with the new 3DS service.
Does having half the continent delaying and the other half not (so far) make anything difficult when having to deal with client requests?
Currently there’s a lack of clarity as to which banks will take advantage of the delay in SCA enforcement, but also at a market level as to which regulators will offer the delay. As such, to avoid declines we are advocating to our merchants that they maintain the 14th September deadline so as to accommodate issuers and regulators who choose not to extend the deadline and ensure authentication rates are not affected.
How will this impact the end customers, especially when trying to transaction cross-border?
If you have customer whose card is issued in a country that has chosen not to extend the deadline and the customer tries to transact with a merchant who does not have 3DS there is a greater chance that their transaction will be declined by their bank. This in itself is a poor experience but from a customer perspective they're unlikely to know why their transaction has failed and why with one merchant it is OK and others it isn't.
If you could hazard a guess as to how readiness for SCA might progress under the transitions, when do you think everything will be compliant without the need for exemption?
In the UK the FCA has been very clear that there will not be another extension to the deadline. Issuers, acquirers and merchants will have to be ready by the end of the 18 month extension or face blanket card declines. With the phased implementation approach that is being adopted, the industry will need to show that it is progressing throughout the extension period. It will not be acceptable to fall behind adoption checkpoints, either intentionally for strategic advantage or unintentionally. Our opinion and the opinion of issuers we speak to is that, regardless of the extension, it is still preferable to implement 3DS2 and become SCA compliant as soon as possible, so we would expect to see strong levels of compliance ahead of the deadline.
Last month Paysafe recorded a panel discussion with Mastercard and New Day discussing the implementation of 3DS2 and the impact of a delay to Strong Customer Authentication. Click here to watch the video.