Strong Customer Authentication: New Rules Will Trigger Profound Changes in Many Organizations [Q&A]

One of the biggest industry issues for the payments community right now is strong customer authentication (SCA) – the new regulation for card payments, including card-not-present or eCommerce payments. This is due to come into force on December 31, 2020 in the EU, and on September 14, 2021 in the U.K. ACI recently brought together industry stakeholders for a webinar entitled Competition Versus Compliance: How an SCA Exemptions Strategy Can Grow Your Business. I spoke with these stakeholders about the challenges, but also opportunities, that SCA will bring to the payments industry.

 

Katrin Boettger: The SCA deadlines are getting closer. What do you perceive to be the general readiness of the industry, both in Europe and in the U.K.?

Amanda Mickleburgh, Director – Fraud Management, ACI Worldwide: It is fair to say that right now there is still a large degree of unreadiness in the market. SCA is a “big beast” – in terms of legislation, compliance requirements and technical enhancements that organizations need to be make. The current pandemic has made it difficult for many businesses to complete deployment and conduct enough testing in time for the deadlines, which further compounds the challenge! But we are working actively with our customers and offer them a series of tools and solutions to ready themselves, whether payment service providers (PSPs), acquirers, issuers or merchants. This addresses SCA as well as the issue of SCA exemptions.

Paul Rodgers, Chairman, Vendorcom: I agree that there is still a lot to do for all of us. The industry is very complex and diverse with an interdependent ecosystem. Looking at it in its totality, the level of preparedness is relatively low. But preparations have been stepped up by the national competent authorities across Europe, particularly in the U.K., which is really moving the agenda forward.

 

KB: From a merchant’s perspective, do you think everyone understands the role they now play in applying exemptions and maybe the control they have in being able to define some of those exemptions?

Johan Carlsson, Commercial Manager, IKEA: At IKEA we have two focus areas. First of all, there’s compliance, so we are working hard to upgrade to the EMV 3D Secure (3DS2) standard. Second, is it to offer a better customer journey. But by doing that, we also use the opportunity to employ 3DS2 and exchange more information, leveraging this information for improved fraud prevention. We leave all the exemptions to issuing banks at this point. 

 

KB: From a financial backend perspective, how can value added solution (VAS) providers support merchants with exemption strategies?

Ralf Hornberger, Global Strategic Partnerships, Arvato Financial Solutions: Our merchants show a high level of creativity right now. What we are seeing is that many are offering deferred payments, for example, especially larger ones, so the customer does not have to actually pay during checkout. They offer” buy now, pay later” options, but also ask people to do bank transfers. Obviously, these are all strategies to circumvent the new rules, to deal with the new situation and keep their businesses running.

 

KB: Michael, maybe you can offer us an overall picture of the level of readiness as perceived by the Mastercard network, given that you have the luxury of seeing the whole picture end to end?

Michael Sass, Vice resident – Product Management, Mastercard: There is some good news and some bad news that really requires us to focus on specific segments of the market. The good news, we are seeing that roughly 80 percent of the issued cards are ready for 3DS2, the new authentication protocol that the whole industry is shifting towards. The other important milestone we have seen is that 3DS2 performance has massively improved over the last few months and is now actually better than 3DS1.

Merchants should now really focus on deploying EMV 3DS with gusto, because in three months 3DS is going to be a requirement as part of PSD2 and EMV 3DS works better than 3DS1.

 

KB: Marcus, representing the issuing banks, how do you approach SCA?

Marcus Brandel, Head of Card Fraud Prevention, Swedbank: We as an issuer will use the exemptions – all of them that are available – starting with the easy ones; lower value payments, recurring payments like parking and transportation, contactless, etc. We want to be very thorough in how we implement our exemption strategy because we really want to simplify things for acquirers, merchants and PSPs.

But we look at SCA not just as a new compliance demand. Going forward, I believe SCA is going to trigger more changes in our, and many other, organizations. If you look at how a typical issuer organization is formed today, you have the fraud departments, you have security, you have compliance, you have the reporting statistics department, and so on. The new legislation has such a crucial impact on all those different parts of the organization that today aren’t necessarily so integrated. You need to align these parts of the business and develop a sustainable strategy to secure your business as a card issuer.

 

Please click here to listen to the recording of the webinar. ACI has also developed an industry-specific SCA resource center to help banks, merchants, issuers, acquirers and PSPs.