PSD2 Compliance and SCA: What’s Next? Part 2

PSD2 Compliance and SCA: Where we are now and what comes next (Part 2)

Jonathan Swan - PSD2 Compliance and SCA: Where we are now and what comes next (Part 2)

Jonathan Swan

Feb 16, 2023

In our last blog we talked about the origins of PSD2 Compliance, the EU’s Strong Customer Authentication (SCA) standard, and how it is affecting merchants, customers, and payment providers today.

In this article, we will outline what might be next for SCA and similar authentication mandates around the world.

The need for innovation

It was clear from our first article that SCA is a journey rather than a destination. More innovation around authentication technology is needed. SCA is a step forward in customer protection, but there is still room for improvement.

SCA was only fully implemented in the UK and Europe quite recently, but the early evidence suggests that where it is properly applied, it significantly reduces Card Not Present (CNP) fraud1.

That’s the good news. But there’s also a worry that SCA’s sometimes clunky procedures are leading to significant cart abandonment rates, especially for mobile transactions.

For both merchants and consumers, the implementation of SCA seems like a necessary step toward better CNP fraud protection. But real-world experience shows that, too often, security is being strengthened at the expense of a smooth customer online payments experience.

The world of CNP fraud prevention

It was clear something had to be done to curb rising rates of CNP fraud. That is true far beyond Europe. SCA is part of a global effort to stamp out online payment theft. One thing we can say for sure is that authentication mandates are spreading around the world.

India was one of the first to introduce Additional Factors of Authentication (AFA) for online payments back in 20092.  Australia has recently launched its CNP Fraud Mitigation Framework, which borrows from SCA to some degree3.

More regions are likely to follow sooner rather than later. For example, the US Consumer Financial Protection Bureau (CFPB) has been hinting heavily that it wants to see online businesses implement some form of customer authentication4

So SCA is part of a global conversation around authentication and CNP fraud prevention. As authentication mandates spread, the pace of innovation will accelerate, and best practice procedures can be established and shared more quickly.

This should help authentication protocols find a better balance between CNP fraud management and customer experience.

New fraud protection tech on the block and the spread of consumer authentication

As authentication mandates become more common, new technologies are likely to come into play.

As we discussed in the previous article, SCA is heavily reliant on 3D Secure (3DS), a technical standard that adds an extra layer of security by allowing merchants to route transactions through to an issuing bank for authentication.

3DS can be an excellent fraud prevention measure, but banks, merchants and providers often implement it in their own specific ways, leading to compatibility problems and – too often – customer dropouts.

But 3DS isn’t the only game in town. Innovation is already happening, most notably in the form of two new technologies. They are Delegated Authentication and Secure Payment Confirmation (SPC).

Delegated Authentication lets merchants carry out SCA on behalf of issuing banks, avoiding clunky hand-offs and bank authentication journeys.

Meanwhile, SPC enables issuing banks to put credentials into web browsers, which can then be used to initiate device level authentication ceremonies. The combination of device level credential (possession) and device level authentication (knowledge/inherence) constitutes the two factors needed to satisfy SCA.

The authentication arms race

We see these technologies as central to an efficient authentication strategy for merchants. They promise a better balance between keeping consumers secure and keeping them engaged. We believe these two technologies will play a big part in changing the way consumers authenticate their CNP payments.

But whether we’re talking about SCA, 3DS, or SPC, these technologies are far from the final word in remote authentication.

Authorities are in a race with fraudsters, who are already refining their strategies in response to SCA. Online criminals are always finding new ways to improve their social engineering techniques. The enforcement of SCA has only accelerated their efforts, with social engineering becoming essential to carrying out online card fraud.

A good example of this is iSpoof, a Fraud as a Service (FaaS) application that allows criminals to make calls that appear to come from banks, tax offices and other legitimate authorities. Fraudsters were using this service to harvest much needed credentials from consumers, such as SCA One Time Passcodes (OTPs). The UK police recently crashed this operation, uncovering a database of 59,000 fraud suspects5. This is social engineering on an epic scale.

In other words, the fraud arms race isn’t over. It’s simply entering a new phase. SCA is an important step forward for those on the right side of the law but as we’ve seen fraudsters are quick to adapt. Those with an interest in authentication now need to focus on ironing out the kinks in SCA and making the authentication journey more seamless and secure. When authentication is easy and robust, consumers engage while fraudsters are left frustrated.

We strongly believe that innovative new technologies are going to be the driving force behind a move towards stronger and easier authentication.

Learn more about Accertify’s Strong Customer Authentication (SCA) solution here.