Merchants unprepared for SCA

By Michael McCaw | 14 March 2019

As many as 25% of Europe’s online merchants are unaware of strong customer authentication (SCA) requirements, due to come into force in September under the continent’s revised Payment Services Directive (PSD2). Of those who are aware of the rules, only 40% feel they will be compliant by the deadline. Both statistics point to serious change in the payments industry, say market participants.

Payment providers can lose their licence if they don’t conform to SCA. That could be a really big deal for banks or credit issuers,” says Angie White, product marketing manager, at Iovation, the firm responsible for the research.

For White, payment service providers (PSPs) should assist merchants in preparing for the new set of rules.

“The PSPs are really going to have to do some due diligence in educating merchants and educating the market about the changes that are going to take place,” she says, suggesting that fines could be handed out by regulators should firms fail to comply in order to make sure the market is “paying attention.”

The deadline to comply with PSD2’s regulatory technical standards – including SCA – is September 14. The deadline for banks to have established open API environments ready for testing by account information service providers (AISP) and payment initiation service providers (PISP) was today. That obligation will see many more fintech firms approaching banks to secure services via their APIs, but concerns linger that should banks fail to meet this deadline it could have a knock-on effect to implementation.

“If financial institutions fall behind in laying the technical groundwork required by PSD2, they will not be ready to provide the connectivity expected by consumers later this year,” says Anton Zdziebczok, head of product strategy at Crealogix.

The UK’s Open Banking initiative and Europe’s PSD2 were established to drive innovation in the retail banking sector, but Iovation’s report – based on interviews with payments executives at European banks, other PSPs, merchants, card schemes and consultancy firms – suggests traditional card-based payments may not be under threat within the next five years.

“It is not clear how a consistent, user-friendly offering can be developed for the European market that is attractive enough for consumers to change their payment preferences,” reads the report.

However, White suggests banks’ security concerns should be considered a far more pressing matter.  

“I’m really concerned about the opening of APIs. Banks hold really sensitive information, and the bar that’s going to be set for third party providers to then secure that data needs to be considered. That’s a possible new threat. Could fraudsters exploit that?”

“Also the SCA requirements are only for online remote transactions initiated by the payer so it doesn’t include things like direct debits or automated clearing house payments,” she says. “If merchants move to those channels it’ll be interesting to see how security measures change.”

That said, given the number and extent of breaches seen within banks’ payments networks in recent years, White welcomes the new standards set out by the regulations.

“Up to this point a lot of businesses perhaps haven’t done the due diligence in securing transactions for customers looking at all the massive breaches that have happened over the past ten years. A lot of this is in response to businesses not hitting the bar they need to,” she says.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development