This month, the UK’s Financial Conduct Authority (FCA) confirmed an 18-month delay to the introduction of Strong Customer Authentication (SCA) rules in order to give financial and retail firms a little breathing room to prepare.
“The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster,” said the FCA’s Jonathan Davidson. “While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction.”
Effectively, the FCA is saying that we’re building in a delay because European businesses were simply not ready or unsure of what they needed to do to comply with the new directive. While there may be a collective sigh of relief in the business community, these organizations are not off the hook. Firms will not face enforcement action after September as long as there is evidence that “they have taken the necessary steps to comply with the plan.”
So, let’s start with a little education.
Background to Strong Customer Authentication
Strong Customer Authentication was due to be enacted Sept. 14, 2019 as part of the Second European Payment Services Directive (PSD2) and is a new European regulatory requirement to reduce fraud and make online payments more secure.
To accept payments once SCA goes into effect, UK businesses will need to build additional authentication into the checkout flow. In the past, customers could simply enter their card number and a CVC verification code, but with PSD2 regulations, more information will be required at the time of payment.
Which Merchants are Impacted?
While merchants are not directly responsible for meeting SCA requirements, this responsibility that falls on acquirers and issuers based in the European Economic Area, which includes all 28 member countries of the European Union plus Norway, Iceland and Liechtenstein. This means merchants could see an impact to their authorization rates on some transactions should they opt not to adhere to the regulation when it applies.
Going Beyond the Password
SCA is more than just entering a password. The SCA requirement stipulates stronger payment security standards for higher value transactions based on multi-factor authentication, increasing the security of electronic payments.
Authentication is based on something you know, something you own or something you are. SCA requires authentication to use at least two of the following three elements.
When is Strong Customer Authentication Required?
Strong Customer Authentication will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA. Recurring direct debits, on the other hand, are considered “merchant-initiated” and will not require strong authentication.
The intent of PSD2 is to make SCA a requirement for all online transactions. There are, however, some exemptions to this mandate and for any given transaction your acquirer can and will request the exemption that is most appropriate. These exemptions will ensure that consumers still enjoy easy shopping experiences with additional security on their larger and less frequent payments. Other exceptions include contactless payments and in-person card payments which are also not impacted by the new regulation.
Low-Value and Low-Risk Transactions are Exempt
Transactions under 30 euros will be exempt from SCA. However, the issuing bank will keep track of the amount of payments made. If the total amount attempted on the card without strong authentication is higher than 100 euros, or every five transactions, SCA will be required. Low-risk transactions are also exempt from SCA. The ability for a payment to be considered low risk is based on the average fraud levels of the card issuer and acquirer processing the transaction.
Trusted Beneficiaries are Exempt
Under the SCA rules, consumers will have the right to “whitelist” trusted beneficiaries ( i.e., the businesses they trust) allowing issuers to exempt the transaction from SCA requirements. SCA is required to add a merchant to a cardholder’s list, so that payments to the merchant will not require SCA until the cardholder removes that merchant from his or her trusted beneficiary list.
It is still unclear how banks will manage their cardholders’ beneficiary lists or even how many banks will choose to offer this, particularly in the months following the SCA updated enforcement deadline.
A Biometric-Based Path to Compliance
According to data published by the FCA, reports of cyber incidents at financial services firms increased 1,000 percent in 2018, and this figure is only expected to rise with the growth in mobile payments. Given the explosion in cybercrime, identity theft, account takeover and fraud, online payments must rise to a higher standard in terms of protecting their data and transactions.
Start with Identity Proofing
In order to accurately authenticate online transactions, organizations need to start when the new account is created and the user is onboarded. It’s at this moment that retailers and financial institutions need to ensure that the consumer is who they claim to be online. Thanks to large-scale data breaches and the dark web, modern organizations need to move beyond credit bureau lookups because the person purporting to be Susan Brown, for example, isn’t necessarily Susan Brown. Increasingly, companies are turning to online identity verification methodologies that tether an online user’s digital identity to a government-issued ID (e.g., a driver’s license or passport) to a corroborating selfie.
Over the last few years, cybercriminals started using spoofing attacks to acquire someone else’s privileges or access rights. They do this by using a photo, video or a different substitute for an authorized person’s face. In response, online identification solution providers have introduced certified liveness detection providing an additional layer of assurance and fraud prevention for digital businesses during the account creation process. But, this liveness step is crucial for ongoing authentication.
While the consumer is taking a selfie during the onboarding process, she is asked to position her face within an oval on the screen, about 12 inches away. Then she’s asked to position her face 7-8 inches away. During this sequence, which takes just a few seconds, the camera’s view of the 3D face changes and perspective distortion is observed, exposing most spoofs instantly. In under two seconds, these advanced solutions process more than 30 video frames, and reverse engineers a 3D face map from a standard 2D camera.
This 3D face map not only prevents spoofing attacks, it also serves as a powerful disincentive for cybercriminals. It also becomes the basis for Strong Customer Authentication when users make subsequent online purchases. When future user authentication is needed for qualifying transactions (e.g., transactions greater than 30 euros), merchants simply need to ask consumers to capture a fresh 3D face map (via the selfie taking process) which is then compared it to the original face map to unlock the user’s digital identity in seconds. Because this methodology relies on two factors — something the customer knows (password) and something the customer is (3D face map) — it meets the SCA standards.
Increasing Customer Convenience
But, perhaps more importantly, biometric-based authentication delivers a simple, intuitive user experience for legitimate customers and simultaneously thwarts and deters the bad guys because of the high assurance of the biometric captured upfront and on an ongoing basis. While many merchants may balk at passwordless authentication, biometrics is quickly gaining traction among consumers.
In the same way that biometrics has transformed the mobile space, it’s rapidly taking hold of the payments world. In an age of increasingly connectedness, security and the consumer experience sit at the heart of everything.
In fact, consumers have expressed interest in using biometrics for authentication purposes. Gigya found 80 percent of consumers believe biometric verification is more secure than methods involving usernames and passwords.
Almost 50 percent of millennials already use some kind of biometric information to authenticate themselves. In addition, Aite Group found 73 percent of millennials and 68 percent of Gen Xers believe facial recognition is an easy way to identify themselves. Even most baby boomers feel that facial recognition is a simple authentication option.
Clearly, face-based authentication owes a large debt of thanks to the big mobile phone manufacturers (e.g., Apple’s Face ID) who have rolled out face-based biometrics to enable users to securely unlock their mobile phones.
And it’s this mass adoption and familiarity that should help European merchants confidently deploy face-based biometrics to meet their SCA compliance obligations — offering the perfect balance of trust with convenience.
