As the fourth anniversary of PSD2 comes and goes, it’s time to reflect on the success of some of its provisions.
Strong Customer Authentication (SCA) was introduced across the EU and EEA as part of PSD2 to secure e-commerce transactions by escalating authentication where necessary.
From the outset, the adoption of SCA has proven problematic, with merchants and banks across Europe claiming they had not been given enough time to prepare, and very low consumer understanding and awareness of the new provisions.
In particular, consumers found the additional friction generated by two-factor authentication troublesome, and merchants complained of lost revenue from abandoned transactions.
Fraud rising, compliance patchy
A new report from the UK Payments Association and Visa, The Long and Winding Road to SCA, outlines where we stand today – and asks what needs to be done to deliver full SCA compliance.
The report, chaired by industry veteran Jane Jee, notes that compliance extensions have been required in both the UK and the EU, as well as EEA countries, owing to slow roll-outs by banks and merchants; meanwhile fraud in the UK has risen by 170% over the last decade.
“UK payment fraud has risen by 170percent in the last decade.” – The Payments Association
Now the deadline for full SCA compliance in the UK (14 March 2022) is fast approaching – and the Payments Association has recommendations for how acquirers can ramp up their roll-outs to ensure consumers and merchants receive better protection from fraud.
Chief among these measures is the implementation of 3D-Secure, or 3DSv2.3, the transaction authentication system developed by EMVCo and partners which uses more than 100 data points to identify high-risk transactions while reducing the overall number of escalations through better identification of bona fide transactions.
As of January 2022, the report’s authors say that all major UK issuing banks and almost all acquirers have rolled out 3DS2.1 – however, understanding and usage of this standard remains inconsistent.
No silver bullet
The PA’s recommendation that 3DS be rolled out across the UK is understandable – but 3DS is not failsafe. For instance, recent research by Outseer (see PCM, Nov-Dec 2021) has shown that 3DS is much less effective if it is not completely rolled out across a market, with fraud migrating to those merchants that have not adopted the protocol.
Secondly, fraud is growing at such an alarming rate because new fraud types are developing – in particular synthetic ID fraud (in which consumer identities are stolen and patched together to create fake profiles) and account takeover, or ATO, in which login details are stolen and passwords changed.
3DS is less effective against these fraud types as things stand, and techniques such as Independent Device Verification (IDV) are required to fully confirm user ID for mobile transactions.
The PA/Visa report acknowledges this changing fraud landscape, and recommends the use of biometrics and other identification types, including payment links sent by secure message to social media apps, alongside 3DS.
The report says such techniques are still emerging but look set to further enhance transaction security. It notes that most major issuers now use biometric identification in their wallet apps, as one example.
Less friction, more funds
As well as adopting 3DS, the PA and Visa recognise that consumer friction has been a major stumbling-block in the adoption of SCA. To combat this, the report recommends maximising SCA exemptions (such as removing the requirement for two-factor authentication from lower-value transactions) as the deadline for full implementation draws near.
Other exemption strategies include removing escalated authentication from transactions deemed low risk – by “whitelisting” consumers known to be safe, for instance, or where funds are being disbursed to trusted beneficiaries. Finally, the PA/Visa study says major, comprehensive communications exercises are still required to help consumers understand why they are being asked to submit more verification data more often.
For all the just praise heaped on 3DS by an industry seeking answers to recent massive increases in fraud in value, if not in volume, it’s worth remembering 3DS is not the only game in town.
Other potentially significant developments in the fight against fraud include improvements in AI and Machine Learning as they relate to fraud detection; the (at present slow) adoption of comprehensive digital ID standards and the concept of strong authentication at point of entry to a digital estate before any transactions are attempted.
Any or all of these concepts may yet surpass SCA as a means of delivering smooth, rapid and secure transactions online. As this report notes, for SCA to be a success we need to see more effective communication and adoption by banks and merchants as soon as possible.
The post SCA adoption in the UK is still a problem – can it be fixed? appeared first on Payments Cards & Mobile.