The revised Payment Services Directive (PSD2) brought about a number of fundamental changes to the payments market in the EU, including imposing a requirement for certain payment services providers (PSPs) to apply strong customer authentication (SCA) where a payment service user:
- accesses their payment account online, whether directly or through an account information service provider (AISP); or
- initiates an electronic payment transaction; or
- carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
On the eve of what would have been the deadline day for compliance with proposed SCA rules, we look at the journey so far, and how it will affect the way in which payment services providers and other entities in the payment chain verify a payment service user's identity or validate a specific payment instruction, with the aim of reducing the risk of fraud and financial loss.
What is Strong Customer Authentication?
SCA is defined as: “authentication based on the use of two or more elements categorised as knowledge (something only the user would know), possession (something only the user possesses) and inherence (something the user is)…[where] the breach of one does not compromise the reliability of the others, and is designed…to protect the confidentiality of the authentication data”. SCA will be applicable to all electronic payments, as prescribed in PSD2.
Mandated to support PSD2, the European Banking Authority (EBA) developed regulatory technical standards on SCA and common and secure communication, as well as regulating the access to customer payment account data held in account servicing PSPs. On 21 June, the EBA published an opinion on questions posed by PSPs as to what authentication factors comply with the requirements for SCA (the Opinion), as well as addressing concerns around the preparedness and compliance of actors in the payments chain with SCA due to come into force on the September deadline. This week, the FCA has agreed a plan giving the payments and e-commerce industry extra time to implement SCA.
What does the Opinion say?
The Opinion outlined the SCA requirements themselves, detailing what element would be regarded as compliant, based on what they had seen from PSPs to date:
Regarded as the most innovative and fast moving, with new approaches continuously entering the market, inherence would be ‘something the user is’, and includes retina and iris scanning, voice recognition and fingerprint scanning. On the other hand, a swiping path memorised by the payment service user would not be regarded as an inherence element, although could amount to an acceptable method of showing the user has satisfied the knowledge element, as it would be viewed as something only the individual would know. Communication practices appear to be a contentious subject, with protocols such as EMR® 3-D Secure version 2.0 not currently satisfying the inherence element, although the EBA argues that if future data points exchanged via such protocols enabled the PSPs to determine ‘something the payment services user is’, this may change.
Nevertheless, the EBA accepts that usage of protocols such as EMR® 3-D Secure provides a means for merchants to support the use of SCA, with versions 2.0 and beyond supporting SCA methods, limiting fraud through data sharing and transaction risk analysis.
Defined as ‘something only the user possesses’, possession refers to both physical and non-physical, such as an app on their mobile phone or tablet. From this, PSPs approaching this by utilising a mobile app, web browsers or the exchange of (public and private) keys may satisfy the possession element, provided a unique connection is established between the payment service user’s app, browser or key and device. However, if a unique connection with a device is not established, it could not be a compliant possession element. The EBA went on to state that card details and its card security code printed on the card and also printed matrix cards or one-time password (OTP) lists designed to authenticate the payment service user would also sit outside of possession compliance. This differs slightly from the FCA’s PSD2 Approach Document– originally published in September 2017 - while it agrees that static information printed on a card would not be regarded as a satisfactory knowledge element, it could be used as evidence of possession of the card itself, if used alongside a knowledge or inherence element.
Described as ‘something only the user knows’ within PSD2, the EBA was of the view that a number of elements would satisfy this requirement, such as a password, PIN or knowledge-based challenge questions. Conversely, card details and its security code printed on the card would not satisfy the knowledge element. However, if the card security code was not printed on the card but sent to the payment services user separately, it could constitute a knowledge element. Similarly, while an OTP may provide evidence of possession, the EBA did not view this as satisfying the knowledge element, and contrasted it with possession – knowledge must exist before the initiation of the payment or the online access.
While the EBA found that a number of PSPs’ existing approaches within e-commerce are in line with SCA requirements, as they combined two compliant elements, a number did not. This included approaches in which card details printed in full on the card are used as stand-alone elements or used in combination with a communication protocol or with only one compliant SCA element (such as SMS OTP). The EBA also emphasised that the two compliant elements must be borne out of two different categories in order to be compliant; two compliant elements from the same category (such as SMS OTP and dynamic card security codes) would not be compliant.
The analysis described above led to the EBA stressing that sufficient time has been available for the industry to prepare for the application date of the SCA (14 September 2019), although conceded that given the complexity of payments markets across the EU and the resulting challenges, a number of actors within the payments chain would struggle to comply by the original deadline. From this, the FCA have agreed an 18-month plan to implement SCA with the e-commerce industry of card issuers, payments firms and outline retailers. This extension appears to accept the EBA’s conclusion that more time is needed to implement SCA given the complexities of the requirements, a general lack of preparedness in the market, as well as the potential significant impact on consumers/users.
As with the Opinion, the FCA’s plan echoes the intention of the EBA to exercise 'regulatory flexibility’ to provide limited additional time to enable issuers to implement SCA-compliant processes and acquirers to move their merchants to solutions supporting SCA. During this period, the FCA have confirmed that it will not take any enforcement action against those that do not meet the requirements prescribed for SCA, although this would only be the case if PSPs are able to show that they have taken necessary steps to comply with the migration plan. At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and carried out the required testing to apply SCA, and will start enforcing where necessary.
Based on publications by both the EBA and the FCA, the messaging to PSPs and retailers is clear – continue to implement your proposed plans designed to improve security of customer authentication and mitigate against fraud, as soon as possible and we will not take enforcement action with a view that you will be able to meet the revised deadline, an approach the regulator regards as proportionate. From this, PSPs may need to pose questions internally to ensure:
- All relevant stakeholders agree with the approach taken with SCA – what elements would be utilised and when, how this would be provided by the payment services user and at what stage;
- The relevant infrastructure is in place to allow this to work operationally from the relevant date;
- The data you hold for a customer is correct, and confidentiality of this information is maintained;
- Payment service users are aware of their continued responsibility to remain alert to the possibility of banking and online account scams; and
- A clear, coherent communication and marketing strategy is devised, ensuring that key information is sent out at the correct time, informing payment services users of changes, reminding them of the circumstances in which you would contact them and advising them of what information should (and shouldn’t be) shared.
Retailers may also need to pose questions to their merchant acquirers and online checkout providers as to what their intended approach to compliance is. Non-compliance, and failure to meet the revised deadline could result in transactions failing to be authenticated and refused, resulting and lost sales and revenue.
Without taking necessary steps to comply with the migration plan, PSPs may be subject to enforcement action by the FCA.