7 minute read
Nearly there now
Jukka Yliuntinen, Global Head of Digital Solutions at Giesecke+Devrient, considers the long and winding road to SCA and the further challenges waiting at ‘journey’s end’
The twisting, turning journey towards Strong Customer Authentication (SCA) has been both challenging and changing, with frequent deadline extensions due to a blend of poor industry readiness and the impact of the COVID-19 pandemic.
SCA is an integral part of the revised Payment Services Directive (PSD2), and adds an extra layer of security to electronic payments across the European Economic Area (EEA) and the United Kingdom. Because of the relentless growth of e-commerce and digital payments, as well as the growing sophistication of fraudsters, also fuelled by the pandemic, stronger security is a greater priority than ever. and cards through to today’s most advanced digital solutions.
When PSD2 was first introduced, in January 2018, the biggest fear, particularly for issuing banks, was how to comply, says Yliuntinen.
“User authentication has a profound impact on e-commerce and contactless transactions,” he says. “So, what would PSD2 mean for banks when payments were made in different environments? Whether a customer does online payments, mobile payments or payments at point-of-sale, and pays by card, a wearable or a mobile, the outcome should be the same. It should be a unified and seamless experience for consumers and banks alike.“
But, since 2018, there have been unforeseen roadblocks to SCA, not least because of the massive upheaval caused by the coronavirus and the consequent growth in digital payments. Over the past 18 months, cash usage has become almost non-existent, at least temporarily.
Yliuntinen adds that, while most countries to which PSD2 is applicable are already fully compliant, the consistency of how they achieve compliance is another
Under SCA, if payment verification is required, banks must perform additional identity screening using two out of three possible checks. These checks are defined as something the customer knows (knowledge), something the customer has (possession), and something they are (inherence).
Although many European countries are now compliant, the UK’s Financial Conduct Authority has further delayed full enforcement of SCA there until 14 March 2022 – the latest of several extensions. Those that are compliant have seen an early and unwelcome side effect of stronger security checks: conversion rates dropping off a cliff as customers experience unacceptable delays. So, even at journey’s end, issues remain, as does the core challenge of ensuring the right balance between friction and security.
As global head of digital solutions at Giesecke+Devrient (G+D), Jukka Yliuntinen is part of a company that is no stranger to payment innovations. Yliuntinen describes the business as a ‘very old fintech’ because it has been a payment innovator for almost 170 years, shaping developments from paper notes
story. For the most part, though, e-commerce merchants will typically implement SCA using 3D Secure (3DS) 2.0 technology, he says. 3DS stands for three-domain secure: namely merchant acquirer domain, issuer domain and network domain. Version two of the protocol was introduced to cater for e-commerce transactions and applies a wide range of data points to verify transactions as part of two-factor authentication (2FA), where a user selects two out of the three possible security checks (knowledge, possession, inherence) to comply with SCA.
Looking at the current state of implementation across Europe, Yliuntinen says there may, at least, be one consistent factor – issuer implementation.
“It’s usually been issuer-dependent,” says Yliuntinen. “Issuer A versus issuer B might have a different implementation, even in one country. But if they are harmonised, that’s good, because many of us still use services from more than one issuing bank. It all depends on how the bank that issued your card implemented it, and there are differences.
“It can be really very easy, so that banks won’t need to communicate much to their consumers. Just a question of saying there’s now a secondary way to authenticate when, for example, you make an e-commerce or contactless payment. Or it could be very complex, which means it’s also very difficult to communicate to customers. And, amongst other things, there are demographic differences.”
Yliuntinen says one example of this is if a customer uses their mobile for authentication. Younger generations may be very comfortable with mobile apps, but older people and those who are not digital natives can find it confusing, and they may not even have a smartphone.
“Many user experiences have to be accommodated,” says Yliuntinen. “If you review app ratings in Google Play, or Apple’s App Store, you see plenty of comments about the authentication experience, often with just one or two stars for the app. People notice when things are becoming complex and will comment on their bad experience, even if the app itself is great.”
For merchants, a bad experience is when conversion rates decline. This is already a well-documented consequence of an SCA challenge being triggered. The ideal is to optimise SCA so that payment checks are reduced to a minimum without compromising security.
“While SCA applies a second layer of security – which, of course, is good for a merchant as it means customers are authenticated because the issuer has said the payer is legitimate – the extra work can mean a lost transaction,” says Yliuntinen. “Worse still, if it’s a clumsy experience for the customer, they may decide not to buy from that e-commerce site again, and might choose a different merchant in future.”
Consumers today have high expectations, says Yliuntinen. They are used to superior service from big tech companies such as Apple and Google, which prioritise customer journeys and customer experience. And because there is so much choice today, it’s easy to go elsewhere if you are dissatisfied with a service.
AN EASIER WAY?
However, Yliuntinen says there could be a simple and cost-effective answer for all concerned: the card. Because banks issue different types of payment cards, and they are now mainly contactless, they themselves can be used for SCA.
While SCA provides a second layer of security, the extra work can mean a lost transaction. Worse, if it’s a clumsy experience for the customer, they may not buy from that site again
“Cards have the ‘possession’ factor,” says Yliuntinen. “Contactless cards have a smartcard component that is tamperproof, and that can’t be said for mobile and one-time passwords. So banks already have an asset for SCA, which is where our Convego Tap function comes in and makes it even easier.”
Convego Tap is a G+D solution that supports SCA by allowing consumers to use their existing and trusted banking cards as a secure and convenient means of authentication for online banking. There is no need to handle extra hardware, inconvenient transaction authentication numbers or one-time passwords.
“We provide a software development kit, a small piece of software that can be embedded, for example, in a banking app or banking wallet, so that customers can use their payment cards as a second authentication factor. It works with any device that is near-field communication (NFC)-enabled, and we have recently enabled it for iOS devices, to ensure complete mobile support.
“Any card can be used, as long as it’s contactless. Today, that means Mastercard, Visa, Amex or any other payment network card. Another benefit is that, because providers still need to authenticate somewhere in the back end, they can implement this themselves. Also, if they want to use it for FIDO (fast identity online) authentication, the new standard for online authentication, the payment card now works as a FIDO authenticator, too.”
Although PSD2 and SCA are European initiatives, the security implications are global because e-commerce and payments are increasingly borderless; nor is the threat from fraud limited by geography. That’s an argument, says Yliuntinen, for global adoption and uniformity.
“If e-commerce merchants in, say, Australia or Singapore, want to offer services worldwide, they don’t have to be PSD2-regulated,” says Yliuntinen. “However, that doesn’t mean a payment won’t be rejected. If a bank thinks there is a high risk from a purchase, it can reject the payment and the merchant will lose the sale. In the e-commerce space, this places pressure on merchants to comply with SCA. One of the things we are seeing across almost every country is a strong desire for 3DS.”
Yliuntinen adds that, whether a company is an early or late adopter, the technology investment in using Convego Tap is small because much of the infrastructure is already provided by issuers. It is easy for firms to deploy and welcomed by their customers, who have become comfortable with the concept of tapping-to-pay.
“If a user has to open their mobile banking app and use it for secondary authentication, or get a code and enter that somewhere, that’s not a great way of authenticating,” says Yliuntinen.
“However, if all they need to do is tap their card, that’s a very positive customer experience. Moreover, if a bank can support that facility, this places it in a very good market position.”
