Why the payments industry needs to act quickly on the EBA’s latest PSD2 SCA Opinion

On Friday 21st June the EBA published a new Opinion Paper on the elements of strong customer authentication (SCA) under PSD2 which has been subsequently been backed up a by confirmatory statement from the European Commission. This opinion has significant practical implications for issuers, acquirers, card schemes and local regulators currently working to prepare for the   imminent deadline for compliance with the PSD2 SCA Regulatory and Technical Standards (RTS) on 14th September 2019. In this post I summarise the main points made by the EBA, look at their potential impact and suggest the actions stakeholders need to take.

Merchants, consumers and regulators are not ready to implement SCA

Our recent work supporting preparations for PSD2 has brought home the need to strike a pragmatic balance between the objectives and spirit of the regulation and the practical challenges of implementing SCA solutions that will work for consumers and merchants and are practically deliverable by PSPs and vendors.

Technical solutions based mainly around 3DS 2.0 will be partially available in time for 14th September, however it is also clear and widely recognised that many merchants will not be ready to implement them and with less than three months to go, consumers are unaware of the imminent changes to their online and mobile shopping experiences.

Furthermore, there is still uncertainty over the allowable interpretation of certain key aspects of the Regulatory and Technical Standards (RTS) and a tension between the wording of the regulation and the need to implement practical and inclusive SCA solutions that minimise disruption to the user experience, shopping cart abandonment and unnecessary transaction declines. The use of card credentials as an SCA factor alongside SMS delivered one time passwords (OTPs) is one of the most contentious outstanding issues.  

The EBA’s key rulings

The EBA opinion provides clarification on these issues.

In doing so it is requiring local regulators, or Competent Authorities (CAs), to take a more interventionist approach to ensuring issuers and acquirers implement compliant solutions and take responsibility for their adoption by merchants within short agreed timescales.

It also effectively outlaws the use of card details as an SCA factor and restricts OTPs to proving possession. In doing so, the EBA deems most current SMS OTP based approaches, the SCA solution most widely deployed and planned by European issuers, to be non-complaint.

The key points and provisions of the opinion in more detail are as follows:

1)    The opinion acknowledges the complexity of payments markets across the EU, that some actors, notably merchants, may not be ready by 14th September and that key component for the successful application of SCA is to explain the changes to customers. It also acknowledges that it is paramount for customers to be able to continue making online payments.

2)    The opinion accepts that CAs may work with PSPs and other stakeholders to provide limited additional time to allows issuers to migrate to complaint authentication approaches and acquirers to migrate their merchants.

3)    This extra time is on condition that issuers and acquirers have set up and agreed a migration plan with their local CAs and that CAs monitor these plans to ensure swift compliance and consistency of authentication approaches across the EU.

4)    The opinion requires that CAs engage with:

Issuers to identify the two-factor authentication approaches they are using, or their migration plans to meet SCA requirements Acquirers to understand the implementation approaches they are taking with merchants and the migration plans they have in place comply All PSPs to ensure they have customer and merchant communications plans in place

5)    Both the EBA will monitor for consistency and take actions to remedy where necessary and the Commission will also be “particularly vigilant in monitoring the transition ensuring that all players…play their full role and assume their responsibilities”

6)    Biometrics, including behavioural biometrics are an acceptable as inherence elements and there is some detailed clarification on what is acceptable, however data points provided by merchants for Risk Based Authentication (RBA) through the 3DS 2.0 protocol are not currently considered to constitute inherence elements and memorised swipe paths may constitute knowledge but not inherence elements

7)    Static card details and security codes printed on card cannot be used as either a possession or knowledge element and the opinion advises CAs to closely monitor their application

8)    Dynamic card security codes may be used to provide evidence of possession and card security codes that are not printed on the card but sent separately to a customer could constitute a knowledge element

9)    An OTP cannot be used as a knowledge element

10)  Some leeway is given on dynamic linking, with the EBA recognising that not all compliant elements may yet be able to enable dynamic linking but encouraging CAs to ensure that new SCA approaches can.

Note that the opinion does not change the current view on the application of exemptions or transactions that are out of scope of SCA, so those aspects of an issuer, acquirer or merchant strategy are not changed. It does however put more focus on acquirers to accelerate their efforts to bring merchants on board and impacts the way in which an SCA challenge is applied when it is required, and the way issuers communicate this to their customers.

A late and heavy-handed intervention?

While the opinion paper acknowledges the reality of the complex task faced by the payments industry and the impacts on consumers and merchants of getting it wrong, this comes very late – less than three months before the implementation date, and has significant implications for issuers, acquirers and indeed for CAs. It is positive that the need for properly structured managed rollouts of SCA is now accepted. This is something that the UK payments and retail industry has been quietly working on with the UK CA, the Financial Conduct Authority (FCA) for a while – for more on this see below. However, it represents a change from the previous approach of the Commission and EBA that was built on technical neutrality. In addition, the practicality of aligning approaches across all countries and CAs within the EU at such short notice will be extremely challenging. 

Furthermore, the opinion on card details as a factor will be viewed by many as a backwards step that is unlikely to decrease fraud, will inconvenience consumers and potentially puts them directly at risk from fraudsters seeking to steal security credentials.

While the EBA Opinion is not in itself legally binding, the nature of the requirement it puts on CAs means that the industry has little choice but to accept it and adjust its course to comply.

The need for a layered response

The payments and retail industries need to respond at both a national and individual company level.

Nationally, industry representatives and trade associations need to work closely with their competent authorities to craft managed rollout plans that will lead to full compliance, merchant adoption and consumer awareness in short, but achievable timescales.

The UK approach led by industry body UK Finance in conjunction with the British Retail Consortium (BRC) and other retail trade bodies alongside the card schemes and leading issuers and acquirers provides a potential model. The FCA has supported and fully engaged with the initiative.  

In it's response to the EBA’s opinion published today (28th June) the FCA has confirmed that it aims “to quickly agree a plan with stakeholders across the industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way.” The FCA also states that once the group has finalised the plan and the FCA has agreed it, it expects all participants to meet the agreed milestones, targets and final delivery date but that it will not take enforcement action against firms if the do not meet relevant requirements for SCA from 14th September. But this delay to enforcement is not an opportunity for the industry to sit back and relax. The FCA makes it clear that it only applies to areas covered by the migration plan and where there is evidence that the firms have taken the necessary steps to comply with the plan.

It is clear that while there is some leeway on the date for enforcement, individual issuers and acquirers will to have review their current implementation and customer engagement programmes and be prepared to submit their plans to a higher level of regulatory scrutiny and oversight. So, what do they need to do?

Considerations for Issuers

The impact for issuers is twofold, particularly for those whose current or planned SCA strategy relies on card credentials as one of the factors, or on a one-time password as a knowledge factor. There will be a need to review and potentially change SCA challenge method strategy and develop a structured and long-term customer communications plan. The two are aspects are clearly interlinked.

Developing a revised SCA strategy will be challenging while there is uncertainty over which CAs will opt for a managed implementation and what the timescales and milestones will be where they do. The one thing that may help is that the options for issuers are now severely limited and by default all issuers and CAs are going to have to converge on similar approaches. This will likely comprise:

1)    Defining an endpoint by which time all SCA step up options offered to customers are fully compliant and ensuring that this endpoint can be reached in the shortest practicable timescale.

2)    Accelerating the adoption of biometric and app based authenticators as the favoured solution with a compliant alternative choice for those customers unable or unwilling to use a smartphone or app.

3)    Continuing with committed to plans to deploy non-compliant SCA step up solutions for the short term. This will support the adoption of 3DS by merchants and will bring experience of working with exemptions. There will however be a need to set a clear transition strategy and ensure that customers are fully prepared for an early second transition to a compliant solution.

4)    Carefully consider and understand the impact on customer experience and ensure that the latest version of 3DS 2.0 and other card scheme authentication and authorisation solutions are supported as early as possible throughout the roadmap.  This will optimise the application of exemptions, minimise unnecessary step ups and declines and give the best experience for customers.

Customer communication strategies will need to explain and prepare customers for the full transition period explaining the background and rationale to SCA, the long-term aim and the interim steps. They will also be a need to proactively encourage customers to adopt biometric and app based solutions to a greater extent than may have been previously envisaged.

Considerations for Acquirers

The opinion and statement from the Commission make it clear that responsibility for ensuring merchants are able to support SCA lies with acquirers. This means ensuring all merchants support the appropriate version of 3DS 2.0 within the timescales that are agreed for managed rollouts. Some key points to take into account are:

1)    You will need to develop a plan that can be shared and agreed with CAs (in the member states in which you operate) and that you can demonstrate that you can deliver on

2)    Many merchants, particularly smaller ones, will have little or no awareness of PSD2 SCA or 3-D Secure, and proactive and effective communications campaigns will be needed to raise awareness

3)    Merchants and their ecommerce solution providers will need clear and unambiguous instructions on what they must do, by when - and will need reminders.

4)    High level awareness campaigns will need to be backed up with effective guidance and support resources targeting merchants, gateways, e-commerce web developers etc.

5)    Adoption of SCA will not be a business priority for many merchants and yet acquirers will be held responsible for ensuring they adopt or upgrade. This will require sustained and effective communication and potentially the need to offer creative incentives.

Where Next?

The EBA opinion and the Commission statement have only just been published, and there will be a need for CAs, industry associations and others to digest and agree their approach. While this means continued uncertainty over the detail, the overall message for issuers and acquirers is clear and if current plans don’t take account of these clarified requirements there is a need to start working on the response.