Market participants are still struggling with aspects of strong customer authentication (SCA) ahead of the December 31 deadline, according to payment service providers (PSPs).
“At the beginning it was very misunderstood from the perspective that it [was thought to be] the same as two-factor authentication, or something just about securing how customers authorise their transactions. It’s more than that. It’s also about making [the transaction] more transparent, which is about how the information is presented to the customer … And that second piece is actually a struggle for everybody,” says Marius Galdikas, chief technology officer, ConnectPay.
Incumbent banks struggle with legacy systems that are unable to support multi-factor authentication, whereas fintechs are often unable to confirm multiple payments at once, he says.
“How do you present that information when there’s a single confirmation for 100 payments? That’s creativity. It’s sort of up in the air and out there. Nobody’s really doing it yet and everybody will have to be in line with this regulation, but everyone is afraid because there’s no one to look at – nobody’s done it yet,” he says.
Despite market participants still working on their SCA processes, Galdikas does not believe the deadline should have been pushed. In April, the UK’s Financial Conduct Authority (FCA) delayed the SCA date until September 2021 due to the pandemic. The European Banking Authority (EBA) has not issued a delay.
Ralf Gladis, chief executive at Computop, a PSP, disagrees with the EBA’s decision to stand by the December deadline.
“In the UK, where the deadline has been extended to September 2021, merchants will have a lot more time to get their SCA implementation processes in order. However if they sell to customers in Europe, then like all EU retailers they will need to work towards an end-of-year deadline, and we believe that this is not enough time,” he said in an email.
“Online retailers have already committed huge trading expenditure so they could survive lockdown and it would be better for them if they could at least get back on their feet before having to invest considerable time in meeting SCA requirements.”
According to Gladis, instances of non-compliance will emerge in the EU come January, causing a negative long term impact on the industry.
“It’s not just merchants in the spotlight either because it’s obvious that banks and acquirers are also a long way from fulfilling their obligations to SCA. We would like to see an extension that acknowledges the difficulties in the market, but still gives all parties a target to work towards,” he said.
Galdikas says the pandemic has accelerated PSPs’ security solutions. In May, ConnectPay launched a mobile authenticator app which covers multi-factor authentication and one tap approvals for payments. He believes companies have had to increase their creativity to find new solutions fast.
“It’s an issue of priorities. Maybe before [coronavirus] SCA was not a priority as much – now it is a priority. Online presence is a must,” he says.
“[SCA] not a specific technical solution; there are many ways to do it. None of them are 100 percent as per regulation, but this is definitely a top priority.”