COMPLIANCE & REGULATION: SCA
We caught up with three experts at the coalface of change to explore the impact that PSD2 and a post-3DS world will have on the European payments industry One of the most significant elements of the revised Payment Services Directive (PSD2), is Strong Customer Authentication (SCA), already delayed once and now fully enforced in the EU with just the UK left to implement it by September 14 this year. In order for payments services providers to meet SCA regulation, card schemes have recommended they use an updated 3D Secure (3DS) protocol. The protocol, managed by EMVCo and known as EMV 3DS (also referred to as 3DS2), is optimised for mobile use, it is designed as an additional security layer for online card transactions but with less interruption in the customer journey, particularly with mobile transactions, than previous iterations. The 3DS references the three domains that interact in using the protocol: the merchant/acquirer domain,
the issuer domain and the interoperability domain. 3DS allows customers to self-authenticate payments, so that transactions can be processed securely without an increased risk of fraud liability resting on the card issuer. EMV 3DS allows businesses and their payment providers to send more data on each transaction to the cardholder’s bank, in order to carry out a risk-based authentication (RBA). Those payments considered higher risk will automatically generate a request for the customer to provide two out of three pieces of information to complete their transaction. Those are something the user is (e.g. a biometrically-collected fingerprint), something the user has (e.g. a mobile phone), and something the user knows (e.g. a password). What and how those pieces of information are conveyed depends on which version of the protocol is employed – 3DS2.2, for example, is a significant improvement on the user experience delivered by 3DS2.1, where merchants have found that shortcomings in user experience design resulted in consumer confusion and high levels of checkout abandonment. Given all this,
there is, then, some understandable nervousness about how best to comply when SCA becomes mandatory. For instance, should all payments be submitted under the EMV 3DS protocol by default if some fall within exemption rules for SCA laid down by PSD2, such as those of low value (under €30), or those deemed that are deemed low-risk? It’s a complicated area, so we invited Caroline Birchinall, head of authentication at Visa in Europe; Noam Grinberg, VP of risk management at payment processor Nuvei; and Galit Michel, VP of payments, with Forter, a specialist in e-commerce fraud protection, to gauge the industry’s direction of travel. THE FINTECH MAGAZINE: The payments industry has gone through a host of changes in fairly short order, especially around authentication and the requirement to apply 3DS and now EMV 3DS to an increasing number of transactions. What impact is it having? CAROLINE BIRCHINALL: There are many different parties that need to come together. Trying to make change happen, relatively quickly, is challenging. Everybody wants to make sure things
Getting there: Despite short-term challenges, EMV 3DS points a way forward
60
TheFintechMagazine | Issue 20
www.fintechf.com
