SCA (Strong Customer Authentication)

Part
01
of two
Part
01

SCA Banking Institution Updates

Banks are implementing SCA checks by sending a one-time passcode (OTP) by text or email, which customers must enter online for authentication. Other ways banks are implementing SCA requirements is through the use of encrypted push notifications via their mobile banking apps, automated calls to the customer's landline, and through a card reader/PIN device.

Background

  • Strong Customer Authentication (SCA) places a requirement on banks to identify every customer using a minimum of two of the following three independent factors of authentication: information only the customer knows (a password, pin, or the answer to a security question); something only the customer controls (a card reader or registered mobile device via which they are sent verifying information); and a physical identifier unique to the customer (a digital fingerprint, voice pattern for FaceID).
  • SCA came into effect on September 14, 2019, but not all banks have implemented the changes; those that haven't are expected to comply within the next 15 months to March 2021.

How Banks Are Implementing SCA

  • Banks are implementing these SCA checks using encrypted push notifications (via mobile banking apps), which are considered the most secure form of two-factor authentication. These encrypted alerts confirm the transaction amount and payee, and the customer authorizes the transaction by fingerprint ID or other biometrics.
  • Another way banks are implementing SCA checks is by sending a one-time passcode (OTP) by text or email, which customers must enter online for authentication. Since messages can be hijacked, this is not as secure as push notifications.
  • For customers who don't have a mobile or are in areas with poor mobile network coverage, some banks allow for codes to be sent via landlines. Such a customer has an option of automating a call to their landline, through which they receive a code via automated voice that they enter into the bank's website.
  • Authentication can also be done using a card reader/PIN device. The customer inserts a card into the card reader and enters a four-digit PIN. The card reader then generates a unique eight-digit code, which would then be used to complete the online transaction.
  • HSBC UK, Santander, and M&S Bank all use security questions to authenticate customers who may have forgotten their passwords. Customers can reset their security questions by first providing answers to the current security questions. Those who may have forgotten the answers to their security questions calling the administrator, bank (Santander and M&S Bank), or their automated service (HSBC UK), and they would be authenticated over the phone.

HSBC UK:

  • According to HSBC UK's customer authentication brochure, in which it explained its implementation of SCA, HSBC cardholders may need to authenticate online payments using Visa Secure. Cardholders don't have to register with Visa Secure to receive an OTP, which is an upgrade from passwords.
  • HSBC UK's SCA options as of September 2019 were SMS codes, email codes, and the landline option, as described above.
  • HSBC UK customers can receive OTP codes via email, but only on a limited or temporary basis.

M&S Bank:

  • M&S Bank uses Verified by VISA or Mastercard Identity Check to protect online shoppers who use M&S Debit Card and Credit Card. They don't need to register; all they need do is ensure that their mobile numbers are up to date so that they can receive the OTP by SMS to complete online transactions.
  • M&S Bank customers can receive OTP codes via email, but only on a limited or temporary basis.
  • As of September 14, 2019, M&S Bank had already implemented SCA for current account logins, and credit cards were expected to follow. For customers who don't use its mobile banking app, it was expected that they would be able to order a physical M&S Pass at a later point this year for authenticating internet banking transactions.
  • Altogether, M&S Bank's SCA options as of September 2019 were SMS codes, email codes, and the landline option, as described above.

Santander:

  • According to a Santander spokesman, "In addition to providing their ID and security numbers, customers will need to confirm their identity either through our convenient mobile banking app or by giving a one-time passcode which is sent to their phone."
  • This statement is in tandem with information available on Santander UK's website regarding the changes in online banking stemming from the new SCA regulations.
  • As of September 2019, Santander's SCA options are the SMS code (OTP) and push notifications via its mobile app.
  • The bank is expected to introduce SCA checks for login in the first quarter of 2020.
Part
02
of two
Part
02

SCA Impact

The implementation of Strong Customer Authentication (SCA) will undoubtedly have a great impact on security as well as transaction conversions. Notable security impacts of SCA include reduced fraud incidences and secured online payments. Regarding transaction conversions, a good percentage of online customers often abandon the purchasing process because they find it complicated and long thus leading to transaction conversion drop off.

Overall Projected Impact of SCA

  • According to the Experian report, online fraud has been on the rise since the commencement of e-commerce. The report further shows an annual increase of 30% in online fraud and which is expected to rise in the coming years.
  • The scale of the online fraud necessitated the European Union to implement the new Payment Services Directive commonly referred to as PSD2 and Strong Customer Authentication (SCA) rules are one of the key pillars.
  • The European internet commerce is expected to reach $1 trillion by 2022; unfortunately, European Central Bank estimates that around €1.3 billion in online fraud takes place each year on European cards.
  • The SCA rules are aimed at reducing fraud and making online payments secure, these rules are scheduled to be effected on December 31, 2020, after a recent deadline change. These rules will apply to two types of transactions, credit transfers from a bank account and card payments.
  • To achieve the SCA objectives, merchants and issuers in the European Economic Area (EEA) will be required to validate consumers for all electronic payments.
  • One of the projected impacts of SCA for acquirers is the stepped-up authentication that costs more money and takes more time; this is beside the need to identify transactions that are exempt from SCA.

SCA Impact on Security

  • Once the SCA rules come into effect, all online digital payments will need two-factor authentication (2FA). This means that customers will need other ways of verifying that their transactions are authorized other than just using their debit or credit cards before making payments.
  • For issuers, the integration of SCA transaction monitoring and controls with their respective fraud and risk management strategies will significantly reduce exposure to money laundering and customer frictions.
  • More importantly, rather than the SCA rules being the exception, the authentication of online transactions will become the norm. This means that failure to comply with the SCA rules could result in fines thus tightening all security measures intended.
  • The European Payments Council foresees a payer claiming a full reimbursement from their PSP in case an unauthorized payment occurs, no SCA measure was applied, and if the payer in question did not act fraudulently.

SCA Impact on Transaction Conversions

  • Additional steps during the checkout flow will be required and especially for transactions that require authentication once the SCA is fully implemented. The friction that occurs during the checkout could potentially end customer ability to complete a purchase. For instance, 69% of online purchases were abandoned in 2019 and 27% of shoppers that abandoned purchases said they did so because the purchase process was either complicated or too long.
  • A study conducted by Ravelin established that 22% of all transactions authenticated by 3D a common security feature of the SCA rules are lost. With this in mind, poor user experience and the aforementioned redirects would result in conversion drop.

Research Strategy

To identify the overall projected impact of Strong Customer Authentication (SCA) on security as well as transaction conversions, the research team consulted industry experts through their respective websites and blogs. Using this strategy, the research team identified the key projected impacts that SCA will have once it is implemented.


Sources
Sources