Strong customer authentication: challenges for e-commerce and online payments
José Ramón Morales, partner of Garrigues, Co-head of the Garrigues FinTech Hub.
The implementation of strong customer authentication (SCA) in payments is currently at a critical stage for e-commerce. The period for completing the migration to solutions adapted to the new regulation ends on December 31, 2020 in general for the European Economic Area, an even more complex environment in the context of the pandemic and due to the added uncertainty for cross-border online card payments with the United Kingdom whose authorities have established a longer implementation period.
The payment services market in Europe is undergoing a very important transformation: to the emergence of new operators and new business models based on technology innovation (fintech) and the consolidation of new customer habits, has been added the regulatory change caused by Directive (EU) 2015/2366 (DSP2) to try to respond to such factors. This regulatory change has yet to complete at present the deployment of one of its important elements: the effective and widespread implementation of strong customer authentication or SCA procedures for certain electronic transactions and transactions carried out remotely.
SCA is an additional security layer which seeks to improve protection of users (preventing unauthorized access to their funds and to their account information, including personal data) and also prevention of fraud in payments, which may in turn lead to an improvement for merchants that sell online and payment service providers (PSP) which provide services for them; although, as we will see, it also poses significant challenges for e-commerce businesses.
1. The SCA regulatory framework
The SCA is defined in the DSP2 (and, in practically identical terms, in Royal Decree-Law 19/2018 which incorporates DSP2 into Spanish law), as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.
As pointed out by Commission Delegated Regulation (EU) 2018/389, payment services which are offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. For this purpose, when performing electronic payment transactions or other transactions through a remote channel which are open to abuse, it is necessary to require the generation of an authentication code which should be resistant against the risk of being forged in its entirety or by disclosure of any of the elements upon which the code was generated. Thus, an authentication code generated exclusively from the factor based on knowledge, as a key word, would be compromised if a data breach occurs; by adding the requirement of a second factor (for example, a biometric identification of the user, which constitutes an inherence factor) so that the code may be generated which authenticates the user when performing the transaction, the risk of unauthorized use of the payment instrument or access to remote electronic operations is very significantly mitigated.
The following are the mechanisms which the regulation has provided to ensure the effective implementation of SCA in transactions online or through a remote channel:
- The obligation to apply SCA procedures which is imposed on PSPs (see next section), with incidence also on certain new fintech operators which play a role in the payments value chain (payment initiation services providers) or in the access to payment accounts information (account information service providers).
- The establishment of rules of allocation of risk in unauthorized payment transactions to the participants in the payment transaction depending on whether or not they demand and accept SCA. In particular:
- If the payer’s PSP (for example, the bank issuer of a payment card) does not require SCA, the payer (the cardholder in that example) will only bear the possible financial consequences of the unauthorized use if it has acted fraudulently. Therefore, in this case, the payer will not be obliged to assume either the loss arising from unauthorized payment transactions within the general limit which may be established by contract with his PSP (which for Spain may be set at most at 50 euros), nor the losses which beyond this amount may arise from having acted in breach with gross negligence of the obligations imposed on it by law in relation to the use of payment instruments and personalized security credentials.
- If the payee (for example, the selling merchant) or the payee’s PSP (for example, the entity that manages the selling merchant’s virtual point of sale terminal) do not accept SCA, they must reimburse the amount of the financial loss caused to the payer’s PSP.
- If the payer’s PSP (for example, the bank issuer of a payment card) does not require SCA, the payer (the cardholder in that example) will only bear the possible financial consequences of the unauthorized use if it has acted fraudulently. Therefore, in this case, the payer will not be obliged to assume either the loss arising from unauthorized payment transactions within the general limit which may be established by contract with his PSP (which for Spain may be set at most at 50 euros), nor the losses which beyond this amount may arise from having acted in breach with gross negligence of the obligations imposed on it by law in relation to the use of payment instruments and personalized security credentials.
2. The duty of PSPs to apply SCA procedures
The DSP2 (Art. 97) requires Member States to ensure that PSPs apply SCA where the payer: (i) accesses its payment account online; (ii) initiates an electronic payment transaction (in the case of remote payment transactions, SCA must also include elements which dynamically link the transaction to a specific amount and a specific payee); or (iii) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
The PSPs’ duty to apply SCA in the above-mentioned transactions has been included, in the case of Spain, in Art. 68 of Royal Decree-Ley 19/2018.
The Delegated Regulation -based on the draft regulatory technical standards addressed to PSPs which the European Banking Authority (EBA) submitted to the European Commission in compliance with the mandate which the DSP2 itself had given to it- had taken charge of specifying:
- The requirements which must be observed by PSPs to apply the SCA procedure, regulating in detail the requirements of security measures which may be demanded both for the generation and acceptance of the authentication code (Art. 4); dynamic linking in electronic payments (Art. 5); and the requirements of the elements categorized as knowledge (Art. 6), as possession (Art. 7), as inherence (Art. 8), in addition to the conditions to ensure independence of authentication elements (Art. 10) so as to ensure that the breach of one of the elements does not compromise the reliability of the others.
Furthermore, the EBA published an opinion in June 2019 on the SCA elements under the DSP2, which sought to clarify the different elements which constitute compliance factors for SCA. - The conditions according to which PSPs could avail of exemptions from SCA, implementing the criteria provided in Art. 98.3 of the DSP2. These exemptions apply in Spain due to the reference in Art. 68.6 of Royal Decree-Law 19/2018 to the provisions of Art. 98.1(b) of the DSP2 (exemption criteria based on the level of risk involved in the service provided, amount and/or recurrence of the transaction, payment channel used).
In particular, the Delegated Regulation established the conditions applicable to the SCA exemptions in the case of access by the user to certain limited information of payment accounts (Art. 10); contactless electronic payment transactions at point of sale (Art. 11); unattended terminals for transport fares and parking fees (Art. 12); payment transactions to payees included on the list of trusted beneficiaries created by the payer (Art. 13); recurring payment transactions with the same amount to the same payee (Art. 14); credit transfers between accounts held by the same person at the same account servicing PSP (Art. 15); in low-value remote electronic payment transactions (Art. 16): when they occur applying secure corporate payment processes and protocols (Art. 17); as well as remote electronic payment transactions identified by the PSP as posing a low level of risk applying the transaction monitoring mechanisms specified by the Delegated Regulation (Art. 18).
3. Legal deadlines and challenges posed for the effective implementation of SCA
The commencement of the application of the Delegated Regulation was established, in relation to SCA, from September 14, 2019 onwards. However, given the complexity of the payments market and the challenges which the necessary changes could involve -in particular for actors other than PSPs (such as businesses engaged in sales by e-commerce)-, the EBA subsequently opened the way for making that deadline more flexible in relation to card payments in e-commerce.
SCA will involve a change in the way consumers and businesses that buy online confirm their identity when purchasing online: the use as an authentication element of the card number together with the CVV number and the expiration date of the card does not comply with SCA requirements (they are not considered, in accordance with the Delegated Regulation, reliable elements of knowledge or possession). In order to comply with the SCA requirement in e-commerce purchases it will be necessary to add an additional authentication factor in card payments. In practice, this involves a greater degree of friction in online purchases (the payment process becomes more cumbersome for the customer) and, therefore, merchants greatly involved in online selling are quite concerned about the increase of rates of abandonment of online purchasing processes which it may cause, which may lead to a drop in their sales.
Furthermore, the effective implementation of the SCA requirements not only requires that they are adopted by PSPs, but also in general by all merchants that admit online payments. In practice, this widespread adoption is faced with significant barriers, not only technological but also as regards knowledge and awareness, and capacity to assume costs, which particularly affect the retail trade.
In this context, as we pointed out earlier, the EBA has considered the extension of the period for completing the migration to SCA in card payments by publishing successive opinions:
- The EBA Opinion of June 2019 envisaged the provision of limited additional time for card-based e-commerce payments, so as to permit PSP card issuers to migrate to authentication approaches that are compliant with SCA, and acquiring PSP to migrate their merchants to solutions that are compatible with SCA. However, this flexibility was subject to the PSPs establishing migration plans, agreeing them with the competent national authorities and executing the plans in an expedited manner.
- The EBA Opinion of October 2019 advised the competent national authorities to adopt a consistent approach as regards migration plans and set December 31, 2020 as the deadline for completing the migration plans of PSPs (including implementation and tests with stores). This does not mean that the application of SCA is deferred, but rather that the national supervisory authorities will focus up to that date on monitoring the migration plans.
Banco de España (Spanish Central Bank) published in October 2019 an informative memorandum echoing the EBA Opinion, the migration period up to December 31, 2020 envisaged in it, and announcing that the relevant actions would be carried out in accordance with the EBA Opinion.
Diverging from the EBA Opinion, in the United Kingdom this extension of the deadline was initially set by the Financial Conduct Authority until March 14, 2021.
For Spain, the main business associations of the credit institutions sector presented an action plan in October 2019 defining in detail and with a time schedule the actions to be carried out for the adaptation of e-commerce sector (which included tasks related to retailing, PSPs, card brands, and payment processors) with the objective of completing migration in December 2020. They also pointed out that from December 31, 2020 onwards e-commerce transactions which fail to apply SCA or may avail of an SCA exemption would begin to be refused.
However, the economic and operational impact of the exceptional situation caused by the COVID-19 pandemic has triggered a debate (with requests from various sectors and from certain national authorities) regarding the advisability of establishing an extension of the time limit for completing the migration to SCA in e-commerce beyond December 31, 2020. In the United Kingdom, the Financial Conduct Authority has enlarged the extension of its time limit until September 14, 2021. On the other hand, the EBA has not decided to date, nor does it seem to intend to establish, any extension of the time limit beyond December 2020; which leaves a large degree of uncertainty regarding the actual capacity to complete migration on that date for e-commerce operators as a whole.
It must also be borne in mind that among the solutions to implement on a large scale the SCA requirements, those offered by the card schemes (for example, Visa Secure, Mastercard ID Check, or AmEx SafeKey) are most noteworthy. New versions of these solutions, adapted to the EMV 3-D Secure V2.2 specification, are currently in the process of being deployed among merchants and customers, which would also allow compliance with SCA requirements, the application of SCA exemptions and the maintenance of an appropriate user experience to minimize the risk of an increase of rates of abandonment in online purchases.
4. Conclusion
The situation regarding SCA implementation in the ecommerce sector is currently at a critical stage which faces (1) the difficulties of the large-scale deployment of the solutions adapted to SCA and the imminent end of the period granted to complete migration (December 31, 2020 in general in the European Economic Area), (2) the additional difficulties of the exceptional economic, operational and social situation arising from the pandemic, and (3) the risk that the deadlines for implementation which are not the same in the United Kingdom and in the countries which follow the EBA deadlines may further complicate the handling of fraud in cross-border e-commerce payments which involve parties operating in the different territories, in an environment of added uncertainty regarding the legal framework which will apply to the relations between the European Union and the United Kingdom from January 1, 2021 onwards.