On Friday 21st June the EBA published a new Opinion Paper on the elements of strong customer authentication (SCA) under PSD2 which has been subsequently been backed up a by confirmatory statement from the European Commission. This opinion has significant practical implications for issuers, acquirers, card schemes and local regulators currently working to prepare for the imminent deadline for compliance with the PSD2 SCA Regulatory and Technical Standards (RTS) on 14th September 2019. In this post I summarise the main points made by the EBA, look at their potential impact and suggest the actions stakeholders need to take.
Merchants, consumers and regulators are not ready to implement SCA
Our recent work supporting preparations for PSD2 has brought home the need to strike a pragmatic balance between the objectives and spirit of the regulation and the practical challenges of implementing SCA solutions that will work for consumers and merchants and are practically deliverable by PSPs and vendors.
Technical solutions based mainly around 3DS 2.0 will be partially available in time for 14th September, however it is also clear and widely recognised that many merchants will not be ready to implement them and with less than three months to go, consumers are unaware of the imminent changes to their online and mobile shopping experiences.
Furthermore, there is still uncertainty over the allowable interpretation of certain key aspects of the Regulatory and Technical Standards (RTS) and a tension between the wording of the regulation and the need to implement practical and inclusive SCA solutions that minimise disruption to the user experience, shopping cart abandonment and unnecessary transaction declines. The use of card credentials as an SCA factor alongside SMS delivered one time passwords (OTPs) is one of the most contentious outstanding issues.
The EBA’s key rulings
The EBA opinion provides clarification on these issues.
In doing so it is requiring local regulators, or Competent Authorities (CAs), to take a more interventionist approach to ensuring issuers and acquirers implement compliant solutions and take responsibility for their adoption by merchants within short agreed timescales.
It also effectively outlaws the use of card details as an SCA factor and restricts OTPs to proving possession. In doing so, the EBA deems most current SMS OTP based approaches, the SCA solution most widely deployed and planned by European issuers, to be non-complaint.
The key points and provisions of the opinion in more detail are as follows:
1) The opinion acknowledges the complexity of payments markets across the EU, that some actors, notably merchants, may not be ready by 14th September and that key component for the successful application of SCA is to explain the changes to customers. It also acknowledges that it is paramount for customers to be able to continue making online payments.
2) The opinion accepts that CAs may work with PSPs and other stakeholders to provide limited additional time to allows issuers to migrate to complaint authentication approaches and acquirers to migrate their merchants.
3) This extra time is on condition that issuers and acquirers have set up and agreed a migration plan with their local CAs and that CAs monitor these plans to ensure swift compliance and consistency of authentication approaches across the EU.
4) The opinion requires that CAs engage with:
Issuers to identify the two-factor authentication approaches they are using, or their migration plans to meet SCA requirements Acquirers to understand the implementation approaches they are taking with merchants and the migration plans they have in place comply All PSPs to ensure they have customer and merchant communications plans in place5) Both the EBA will monitor for consistency and take actions to remedy where necessary and the Commission will also be “particularly vigilant in monitoring the transition ensuring that all players…play their full role and assume their responsibilities”
6) Biometrics, including behavioural biometrics are an acceptable as inherence elements and there is some detailed clarification on what is acceptable, however data points provided by merchants for Risk Based Authentication (RBA) through the 3DS 2.0 protocol are not currently considered to constitute inherence elements and memorised swipe paths may constitute knowledge but not inherence elements
7) Static card details and security codes printed on card cannot be used as either a possession or knowledge element and the opinion advises CAs to closely monitor their application
8) Dynamic card security codes may be used to provide evidence of possession and card security codes that are not printed on the card but sent separately to a customer could constitute a knowledge element
9) An OTP cannot be used as a knowledge element
10) Some leeway is given on dynamic linking, with the EBA recognising that not all compliant elements may yet be able to enable dynamic linking but encouraging CAs to ensure that new SCA approaches can.
Note that the opinion does not change the current view on the application of exemptions or transactions that are out of scope of SCA, so those aspects of an issuer, acquirer or merchant strategy are not changed. It does however put more focus on acquirers to accelerate their efforts to bring merchants on board and impacts the way in which an SCA challenge is applied when it is required, and the way issuers communicate this to their customers.
A late and heavy-handed intervention?
While the opinion paper acknowledges the reality of the complex task faced by the payments industry and the impacts on consumers and merchants of getting it wrong, this comes very late – less than three months before the implementation date, and has significant implications for issuers, acquirers and indeed for CAs. It is positive that the need for properly structured managed rollouts of SCA is now accepted. This is something that the UK payments and retail industry has been quietly working on with the UK CA, the Financial Conduct Authority (FCA) for a while – for more on this see below. However, it represents a change from the previous approach of the Commission and EBA that was built on technical neutrality. In addition, the practicality of aligning approaches across all countries and CAs within the EU at such short notice will be extremely challenging.
Furthermore, the opinion on card details as a factor will be viewed by many as a backwards step that is unlikely to decrease fraud, will inconvenience consumers and potentially puts them directly at risk from fraudsters seeking to steal security credentials.
While the EBA Opinion is not in itself legally binding, the nature of the requirement it puts on CAs means that the industry has little choice but to accept it and adjust its course to comply.
The need for a layered response
The payments and retail industries need to respond at both a national and individual company level.
Nationally, industry representatives and trade associations need to work closely with their competent authorities to craft managed rollout plans that will lead to full compliance, merchant adoption and consumer awareness in short, but achievable timescales.
The UK approach led by industry body UK Finance in conjunction with the British Retail Consortium (BRC) and other retail trade bodies alongside the card schemes and leading issuers and acquirers provides a potential model. The FCA has supported and fully engaged with the initiative.
In it's response to the EBA’s opinion published today (28th June) the FCA has confirmed that it aims “to quickly agree a plan with stakeholders across the industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way.” The FCA also states that once the group has finalised the plan and the FCA has agreed it, it expects all participants to meet the agreed milestones, targets and final delivery date but that it will not take enforcement action against firms if the do not meet relevant requirements for SCA from 14th September. But this delay to enforcement is not an opportunity for the industry to sit back and relax. The FCA makes it clear that it only applies to areas covered by the migration plan and where there is evidence that the firms have taken the necessary steps to comply with the plan.
It is clear that while there is some leeway on the date for enforcement, individual issuers and acquirers will to have review their current implementation and customer engagement programmes and be prepared to submit their plans to a higher level of regulatory scrutiny and oversight. So, what do they need to do?
Considerations for Issuers
The impact for issuers is twofold, particularly for those whose current or planned SCA strategy relies on card credentials as one of the factors, or on a one-time password as a knowledge factor. There will be a need to review and potentially change SCA challenge method strategy and develop a structured and long-term customer communications plan. The two are aspects are clearly interlinked.
Developing a revised SCA strategy will be challenging while there is uncertainty over which CAs will opt for a managed implementation and what the timescales and milestones will be where they do. The one thing that may help is that the options for issuers are now severely limited and by default all issuers and CAs are going to have to converge on similar approaches. This will likely comprise:
1) Defining an endpoint by which time all SCA step up options offered to customers are fully compliant and ensuring that this endpoint can be reached in the shortest practicable timescale.
2) Accelerating the adoption of biometric and app based authenticators as the favoured solution with a compliant alternative choice for those customers unable or unwilling to use a smartphone or app.
3) Continuing with committed to plans to deploy non-compliant SCA step up solutions for the short term. This will support the adoption of 3DS by merchants and will bring experience of working with exemptions. There will however be a need to set a clear transition strategy and ensure that customers are fully prepared for an early second transition to a compliant solution.
4) Carefully consider and understand the impact on customer experience and ensure that the latest version of 3DS 2.0 and other card scheme authentication and authorisation solutions are supported as early as possible throughout the roadmap. This will optimise the application of exemptions, minimise unnecessary step ups and declines and give the best experience for customers.
Customer communication strategies will need to explain and prepare customers for the full transition period explaining the background and rationale to SCA, the long-term aim and the interim steps. They will also be a need to proactively encourage customers to adopt biometric and app based solutions to a greater extent than may have been previously envisaged.
Considerations for Acquirers
The opinion and statement from the Commission make it clear that responsibility for ensuring merchants are able to support SCA lies with acquirers. This means ensuring all merchants support the appropriate version of 3DS 2.0 within the timescales that are agreed for managed rollouts. Some key points to take into account are:
1) You will need to develop a plan that can be shared and agreed with CAs (in the member states in which you operate) and that you can demonstrate that you can deliver on
2) Many merchants, particularly smaller ones, will have little or no awareness of PSD2 SCA or 3-D Secure, and proactive and effective communications campaigns will be needed to raise awareness
3) Merchants and their ecommerce solution providers will need clear and unambiguous instructions on what they must do, by when - and will need reminders.
4) High level awareness campaigns will need to be backed up with effective guidance and support resources targeting merchants, gateways, e-commerce web developers etc.
5) Adoption of SCA will not be a business priority for many merchants and yet acquirers will be held responsible for ensuring they adopt or upgrade. This will require sustained and effective communication and potentially the need to offer creative incentives.
Where Next?
The EBA opinion and the Commission statement have only just been published, and there will be a need for CAs, industry associations and others to digest and agree their approach. While this means continued uncertainty over the detail, the overall message for issuers and acquirers is clear and if current plans don’t take account of these clarified requirements there is a need to start working on the response.
Visa is buying Verifi, a payment dispute resolution technology specialist that promises to help firms reduce chargebacks. Financial terms of the deal were not disclosed.
Verifi’s technology connects all parties in the dispute management process in near real-time with the aim of resolving issues before they become a chargeback. The firm serves more than 25000 accounts.
Visa says that by integrating Verifi chargeback tools into its risk management services, it can provide buyers and sellers more automation, near real-time communication and data-driven insights.
Mary Kay Bowman, global head, seller solutions, Visa, says: "Facilitating trust and transparency across the buying experience is core to Visa’s brand promise and Verifi’s technology and expertise will extend these capabilities to more partners across the payments ecosystem."
The acquisition is subject to regulatory approval.
Taking its lead from the European Banking Authority, the UK's Financial Conduct Authority has confirmed a delay to the enforcement of stronger payment security standards to give firms more time to prepare.
The rules, which are being pushed through under the the PSD2 Directive, have faced strong opposition from a market which is widely seen to not be ready for the switch.
In a statement, the FCA says that it recognises the challenges in meeting the September deadline and has been working with the industry to to implement SCA for card payments in e-commerce as soon as possible after this.
"We aim to quickly agree a plan with stakeholders across the industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way," states the regulator. "We will work in close cooperation with all the industry stakeholders and other authorities, including the Payment Systems Regulator, to ensure delivery of the blueprint at pace."
Angus McFadyen, partner, Pinsent Masons says the FCA's reversal continues the regulatory recognition of the adverse impact these rules could have.
"Consumers will see a real impact on their day to day spending experience and no one is communicating with them to explain this," he says. "Equally, the regulators haven’t been able to address some of the other unintended consequences such as the possible adverse impact on the innovative overlay services, like money management apps, that law makers have been supporting.”
Goldman Sachs could follow JPMorgan Chase in creating a digital coin, CEO David Solomon has revealed in an interview in which he also dismissed the threat of tech giants such as Facebook moving beyond payments into deposits.
Speaking to French financial newspaper Les Echos, Solomon says Goldman Sachs could "absolutely" create its own digital token, like the JPM Coin, to settle transactions, and that people should "assume that all major financial institutions around the world are looking at the potential of 'tokenisation', 'stable wedge' and frictionless payments".
On the Facebook-led Libra project, Solomon says that he finds the principle "interesting" but refuses to reveal whether Goldman has had talks with the social media giant about it.
More broadly, the bank chief says that tokenisation and the use of blockchain for a stable digital currency based on a basket of real currencies that can move money across borders is "the direction in which the payments system will go".
Whether the Libra effort or one of the "other fifty that people are watching" ends up ruling "I can not tell you," says Solomon, adding that this new era will also bring regulatory changes.
Solomon is not worried that the tech giants will put banks out of business, arguing that although payment flows will become less profitable, other areas such as deposits are safe because Facebook and others do not want to submit to the same regulatory regime as Goldman.
Instead, he sees the potential for partnerships, citing Goldman's recent deal with Apple on the iPhone maker's move into credit cards.