Since the European Union passed its revised Payment Services Directive (PSD2), there has been much talk about strong customer authentication, or SCA. But what is SCA? How is it reflected in our web-based transactions? How does it create challenges for businesses operating online and what are its benefits?
In October 2015, the European Union approved a new bill on payment services, designed to better protect consumers when making online transactions or cross-border payments. While its initial implementation deadline was extended, SCA has quickly become part of our daily web interactions with banks, online retailers and service providers.
But what has motivated this transition to reinforced security measures? To answer this, we must examine the factors that have led to PSD2, among which a resurgence in cyberthreats affecting consumers and businesses alike.
Ultimately, we must consider both the advantages and challenges SCA creates for vendors and service providers operating online. And what can card issuers, banks and financial institutions do to comply with SCA requirements while maintaining a positive user experience and sustained engagement?
What is strong customer authentication anyway?
Strong customer authentication comes in direct response to the marked change in online consumption patterns and banking habits among European citizens since the second decade of the 21st century. While it offers a heightened level of security, it comes with an added layer of complexity. But how exactly does it work?
SCA is one of the cornerstones of PSD2. It requires that payment service providers (PSP) within the EEA (European Economic Area) instate multifactor authentication (MFA) procedures. This ensures that customers who access payment services and share sensitive data through online banking apps and similar interfaces are indeed who they claim to be.
As a minimum requirement, two-factor authentication (2FA) obliges users to provide two of the following when making a transaction or accessing confidential material:
| Password | Phone | Fingerprint |
| PIN | Token | Facial recognition |
| Secret fact | Smart card | Voice recognition |
These three categories may be summed up in the following concepts:
- Knowledge – this relates to passwords, PIN numbers or pieces of information that the user or customer alone can provide.
- Possession – this refers to something the user has on their person, including mobile phones, tokens or smart cards, which may be used to provide requested information.
- Inherence – this pertains to the user’s physical constitution, as expressed through face, voice or fingerprint recognition.
While the latter may have seemed worthy of science fiction until just a few years ago, it is fast becoming a ubiquitous contemporary reality. Popular manifestations include Apple’s FaceID or the fingerprint detection pads, used by smartphone manufacturers to grant access to their devices, replacing a traditional PIN code.
Beyond the rapid increase in online consumption patterns however, the question remains, what else has been driving these augmented authentication methods? And what are the potential consequences for both consumers and businesses operating online?
| Did you know? According to figures from the European Banking Authority, over 50% of EU consumers were using electronic banking by the year 2017, compared to just 25% in 2007. |
Why was SCA introduced?
If consumer protections related to online banking and online retail were thought to be lacking before PSD2, the reasons are simple. Among these, the noticeable increase in the quantity and sophistication of cyberattacks over the last ten years, with more recent developments exacerbating this trend yet further. While SCA seeks to mitigate cyberthreats, it can also adversely affect the user journey on a given platform, app or website. But how?
As the Covid-19 pandemic continued to cause major disturbance over the course of 2020, phishing scams, malware, ransomware and various other kinds of fraudulent attacks increased exponentially, with many service industry professionals making the overnight transition from day-to-day commuting to working from home. Even before the pandemic, cybercrime has continued to rise steadily year on year over the past decade. In its “Ninth Annual Cost of Cybercrime Study”, which surveyed several thousand senior executives at 355 companies across 11 countries, Accenture indicated a 67% increase in security breaches per company between 2013 and 2018. However, employee and company data are not the only targets falling prey to cybercriminals, with similar increases in cyberattacks directed towards individuals too. PSD2 seeks to address this.
The inherent vulnerabilities of single-factor authentication (SFA), such as the recurring use of easily forgotten passwords, leave consumers exposed to all kinds of cyberthreats. The onus has thus shifted to card issuers, banks and payment service providers to instate an SCA mechanism offering them greater safeguards against malicious intrusions.
On the whole, SCA presents both benefits and drawbacks for consumers and businesses operating online:
| BENEFITS | DRAWBACKS |
| For consumers, heightened security means a lesser risk of fraud and cyberattacks | It can slow down access to online services and retail if clumsily implemented |
| Consumers previously hesitant to make online transactions are also reassured by SCA | It can lead to checkout abandonment for retailers if the customer finds the process inconvenient |
| SCA creates a level playing field for businesses operating online, as most must be SCA-compliant | More sophisticated authentication methods (such as facial recognition) are not yet widespread |
Yes, when it comes to user experience, the potential friction caused by multifactor authentication has become a subject of concern for many businesses. It begs the question, how can card issuers, banks and PSPs ensure people’s security while maintaining a fluid user experience?
| Did you know? According to 2018 data collated by UK-based behavioural marketing firm SaleCycle, financial services, after the airline and travel sectors, is the industry in which online consumers are most likely to abandon their shopping basket before making a transaction. |
Security versus user experience, an impossible equation?
Uber, Deliveroo, JustEat… the list goes on. Countless app-based services have flourished in recent years, making rapid service, prompt payment and a friction-free user experience fixtures of our daily lives. SCA has created a bit of a conundrum for businesses wishing to offer their customer base the same level of smooth, frictionless service that so many now take for granted. So, what exactly can be done?
Under PSD2, online merchants themselves have no control over how SCA is implemented, as this responsibility lies with their customers’ card issuers and banking partners. This can cause frustration, even if both parties share a common interest in promoting the continuity of seamless online transactions. When traditional banking operators initially set about creating their app-based online banking services, they usually opted for a simplified version of their familiar desktop interface, enabling customers to make transfers and consult their balance in just a few clicks. SCA’s disruption to this serene electronic banking landscape, and its potential interference with user experience, have not gone unnoticed.
Businesses and PSPs that ignore user experience expectations do so at their peril. According to a recent online retail survey conducted by independent UX research institute Baymard, a “long or complicated checkout process” was the third most highly reported motive for abandoning an online transaction, with over a fifth of respondents in this category citing it as their reason for doing so. Higher still, the proportion of those abandoning their shopping basket because the website wanted them “to create an account” amounted to nearly 30%.
At a time when the barriers to switching from one online retail outlet or service provider to another are lower than ever before, the delicate balance between security and a fluid user journey is a crucial concern for businesses, banks and financial institutions. The authentication options on offer should be as wide-ranging as possible, taking into account various user or customer profiles. Getting this right can prove decisive in whether customer engagement continues to thrive, in spite of SCA, or begins to decline as a result of demands perceived to be onerous or tedious.
To reduce user journey friction and ensure that all users and customers are catered for, card issuers, banks and payment service providers need to take the following into consideration:
1. Not all mobile operating systems (OS) are up to date
- Vendors or users may not automatically update their OS when required.
- SCA on platforms or apps should function even when an OS lacks recent updates.
2. Not everyone has a smartphone
- Older people without smart devices may represent a significant proportion of a business’s customer base. SCA methods should reflect this.
- When push notifications are not possible, one-time passwords (OTP) through automatic call-backs or SMS messages should be facilitated.
3. SCA is unnecessary for recurring transactions
- Recurring standing order transactions for charge or subscription accounts need only satisfy SCA requirements once.
- Recurring direct debit transactions initiated by the payee are exempt.
4. Biometric solutions are available
- Accurate facial or fingerprint recognition are the most secure forms of authentication.
- They are also the most compatible with a fluid user journey.
- Third-party digital ID service providers offer solutions that directly integrate into existing app interfaces or platform infrastructures.
5. Guidance equals reassurance
- Offering customers information on when and where SCA is required is essential.
- Explaining its goal of reducing cyberthreats and fraud conveys its importance.
- Advising customers to regularly update their mobiles devices, OS and personal details ensures a more fluid SCA experience.
Ultimately, online businesses and merchants also have a role to play to ensure SCA is not perceived as a hindrance. By educating their customer base on the security benefits of SCA, they too can reassure their customer base and mitigate initial reluctance. When all is said and done, SCA is here to stay. While momentary friction may be created, it will become more intuitive over time, with all consumers and businesses operating within the EEA having to adapt to the transformed online transaction landscape that PSD2 has created.
| Did you know? In a survey conducted on 1000 UK cardholders in 2020, multinational payments company Visa found that 66% of respondents believed biometric authentication methods to be easier than passwords. |
Few pieces of legislation have had quite as transformative an effect on the online transaction landscape as PSD1 and PSD2. Beyond introducing a framework for new payment services, PSD2’s strong customer authentication provision offers consumers greater protection against cyberattacks when making web-based transactions. The challenges that SCA measures create in terms of user experience are, however, considerable.
The onus is on card issuers, banks and PSPs to ensure frictionless user journeys and online transactions, unimpeded by reinforced security measures. This is not only in their interests, but also those of financial institutions, consumers and business operating online. Offering wide-ranging, flexible authentication options and educating consumers on SCA’s benefits are among the best ways to achieve this.
Over time, SCA methods will become faster, more intuitive and increasingly widespread, and initial friction will dissipate. Security risks, however, remain a constant, and all businesses operating online should exercise caution. Given the stringent regulatory environment in which they operate, financial services providers have developed genuine expertise in managing security concerns and guarding against potential threats. They therefore have a crucial role to play in raising awareness on these issues to enable businesses to better protect themselves.
