Strong customer authentication (SCA) is “GDPR on steroids”, and regulators aren’t making compliance easier by being divorced from the payments process on the ground. That’s according to Paul Rodgers, chairman of Vendorcom, speaking on a panel at an industry event in London this week.
Quoting a regulatory source, Rodgers claimed that as many as 30% of transactions could be declined come the September 2019 deadline for SCA compliance. Rodgers called on organisations such as the BBC to produce more understandable messaging for both customers and small businesses: “If we can’t sometimes understand [what’s required], how will it affect people outside these four walls?”.
Francois Steque, director for external industry engagement at American Express, argued that while “not everything” would be in place from day one, it “won’t be as bad as 30%”. “When chip and PIN was introduced, we all thought that everyone would forget their numbers, and that transactions would be declined at point of sale. We expected a huge disruption.”
The need for two of three authentication factors in SCA – possession, knowledge and inherence – naturally lends itself well to channels which can quickly utilise all three, argued Steque. He predicted that we may see a major shift towards mobile payments as a result, as the channel features readily-implemented biometrics.
“We’re obsessed with mobile,” said Rodgers. “We’re obsessed with interaction. We need to think beyond that.” The payments industry, he argued, is “out of the loop” when it comes to determining what authentication methods are best for people on the ground. “It’s the phone for most of us today, but it’s also the TV, the train station kiosk and the car,” he said. “It’s about time that the guys who manfacture [the latter] got a little bit cleverer.”
“We’re hanging everything on mobile and giving it a huge market,” said Steque. “If the browser manufacturers or PC manufacturers don’t do a better job in rolling out authentication then we’ll all be dependent on the mobile channel.”
According to a 2017 survey produced by Deloitte, a quarter of firms in the payments industry are concerned about unclear regulatory guidance around SCA. 83% from the same study indicated that they were planning to make, or were evaluating, changes to their payment techniques in response to SCA.
Brian Daly, lead product manager at Post-Quantum, said that security around the payment ecosystem is not the be-all and end all. He said his firm works with major call centres, which operate in tandem with banks and merchants. “We’re concerned with authorisation of people coming into the network,” he said. “When you get in and are talking to someone they need to know it’s you via voice biometrics.”
The most common method of authentication for card payments, 3D Secure (3DS), has seen the release of a new version, 3DS2, by creator EMVCo. Where 3DS required a user to be redirected to a separate webpage to input their details, 3DS2 uses up to 100 data points to authenticate a user making a transaction.
Still, 3DS2 is not a “panacea” when it comes to solving SCA, said Steque. “It offers an opportunity to add a channel and step up authentication, but at the end of the day, everyone is different and will have separate pressure points.”