The Financial Conduct Authority has announced it is allowing extra time for the rollout of Strong Customer Authentication (SCA) for e-commerce transactions in the UK, and the move is likely to be followed by others across Europe.
In a statement published on 30 April, the FCA confirmed: “In the exceptional circumstances of the Covid crisis, we are giving the industry an additional 6 months to implement Strong Customer Authentication (SCA) for e-commerce.”
The definition of Strong Customer Authentication was set out in PSD2, and its original implementation deadline for all e-commerce transactions had been set to September 2019, but following an announcement by the European Banking Authority (EBA) on 21 June 2019, the FCA agreed to a phased roll-out plan with full compliance to be achieved by 14 March 2021.
This new extended deadline of 14 September 2021 provides an additional opportunity for online merchants to deploy and test new processes in line with SCA requirements, and ensure the e-commerce industry, card issuers, payments firms and online retailers are able to align their systems and processes.
PSD2 brought fundamental changes to the European payments market, but concerns were raised over the time it would take to successfully deploy SCA in complex payment environments such as e-commerce.
According to the EBA, “It is imperative that all actors, including card schemes and merchants, take the steps necessary to apply or request SCA and thus avoid situations in which payment transactions are rejected, blocked or interrupted.”
PSD2 defines SCA as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent.”
Two out of three of these factors must be applied to provide strong authentication.
A detailed analysis of the various authentication elements that meet SCA compliance requirements was shared in the Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2.
Identity verification is at the heart of PSD2, and must be supported by a Strong Customer Identity Verification (SCeID) process using two-factor authentication.
Existing technology, built to support the KYC requirements associated with anti-money laundering regulations, can be used to support a strong remote identity verification process that protects online payments, reduces compliance costs, retains customers and supports increasing market share.
To truly protect online payment transactions, organisations should apply an authentication method that reliably establishes — as per the EBA recommendations — that “the person claiming a particular identity is in fact the person to whom the identity was assigned.”
Two of the three SCA factors that can be considered — what you know and what you have, which often just consist of a password and a 2FA-based SMS sent on the user’s phone — are regularly compromised by large-scale data breaches, social engineering attacks, phishing scams, SIM swap fraud and man-in-the-middle attacks. This leaves the “who you are” (or biometrics) as the only factor that can reliably be used for strong authentication.
One of the strongest biometric elements available is a user’s 3D face map. Thanks to the widespread use of biometrics on smartphones, consumers are already used to this technology for authentication.
In a survey by Visa, two-thirds of respondents confirmed using biometrics and found them as easier and faster to use than traditional passwords.
The top three benefits users particularly like about biometric authentication are:
- No longer needing to remember passwords (42%)
- Improved security over passwords (34%)
- Not forgetting or losing an authentication method (33%)
By leveraging the same biometric — a 3D face map — for initial identity proofing and ongoing user authentication, organizations can more effectively establish an identity corroboration hub and reliably assess the digital identities of remote users.
Biometrics authentication is not only fast and easy to deploy, but it also benefits all stakeholders during an online payment transaction: consumers making the purchase, retailers selling the products and financial institutions enabling the transactions.