The start of 2021 marked the start of Strong Customer Authentication (SCA) enforcement across Europe under the European Banking Authority’s PSD2 (revised Payment Services Directive) regulations.
Designed to address growing damage from card-not-present transactions amid an online commerce boom, SCA rules require merchants to have multifactor authentication measures in place to ensure that the individual using the card on the other end of the faceless transaction is legitimate.
Despite noble intentions, some participants across the European economy are raising concerns about the logistics of implementing and enforcing SCA requirements. According to Pat Bermingham, CEO of Adflex, European nations’ decision to quietly deploy a gradual enforcement timeline throughout 2021 — rather than adhere to the hard enforcement deadline of Jan. 1, 2021 — is evidence that regulators may not have entirely thought through the implications of SCA, especially in the B2B payments landscape.
With the pandemic driving up volumes of online commercial card transactions through B2B eMarketplaces and proprietary supplier portals, uncertainty continues to swirl around exactly how the ecosystem can comply with SCA requirements, as well as what the consequences will be if merchants and their payment service providers fall astray.
Speaking with PYMNTS, Bermingham highlighted some of the largest potential pitfalls of SCA in the commercial card landscape and raised new questions about what enforcement could look like as the year progresses.
The Biggest Question Marks
There are two key areas of concern for Bermingham when it comes to online commercial card transactions complying with SCA rules.
The first lies within the complex nature of B2B transactions compared to B2C. Often, prices fluctuate far more often than they would on a traditional B2C eCommerce platform. Dynamic pricing and disparities between a quote and final pricing lead to uncertainty over how and when SCA procedures should occur.
For example, he said, a repair service provider might provide an estimate, secure a sale, and then adjust the price as needed. Or, customized pricing agreements between buyer and supplier may see costs fluctuating depending on inventory and demand.
“That’s where most of the problems stem from, where the initial amount is different to the final amount,” explained Bermingham. “There are quite strict rules that the amount that’s authenticated must be equal to or less than the amount authorized.”
There is also clarity lacking in whether merchants should initiate SCA procedures at the time a purchase is made, when an order is fulfilled, or when payment occurs — milestones which, in B2B transactions, can be weeks apart from each other. Further, it is unclear how SCA rules come into play if a B2B merchant is accepting card details over the phone and entering that information into their own web portal.
Another major area of uncertainty is in the SCA’s language surrounding exemptions. While the legislation leaves room for exemptions, it does not specify when B2B transactions might qualify for them, according to Bermingham.
He pointed to the ambiguity of a consumer-versus-corporate environment and the difficulties in providing a commercial card transaction within a “secure” environment, as the SCA requires.
“In a corporate environment, you can apply for an exemption,” he said. “The difficulty is in how a corporate environment is defined. The FCA [the U.K.’s Financial Conduct Authority] has defined it as a transaction that’s taken in a closed loop, not open to consumers. But a lot of sites now, especially since the pandemic, are open to both corporates and consumers.”
Enforcement Uncertainties
With the European Union intensifying its General Data Protection Regulation (GDPR) enforcement (GDPR-related fines have increased nearly 40 percent in the last year), organizations are growing anxious over whether they will unintentionally find themselves out of compliance with SCA rules as a result of these uncertainties and ambiguities.
Bermingham noted that the gradual implementation of SCA regulations across Europe could signal that regulators will be taking a softer approach to enforcement as these kinks get worked out, although that’s no guarantee.
“It’s all down to policing,” he said. “Maybe they won’t be so strict on certain things, or possibly turn a blind eye.”
But beyond concern for fines, the B2B ecosystem is also raising concerns about the potential for SCA compliance burdens to balloon. For B2B eCommerce sites, said Bermingham, there are infrastructure challenges around how to deal with so-called soft declines, which require supplemental authentication measures that may not be easily achievable within existing systems. For the most part, however, payment service providers (PSPs) will bear the weight of compliance headaches.
Even greater worries are brewing within proprietary, complex B2B systems that are already grappling with the logistical challenges of a diverse B2B payments ecosystem that includes cards, ACH, supply chain financing and other workflows.
The issue of exemptions is likely to be resolved in the coming months, said Bermingham, but several other potential pitfalls for commercial card transactions remain. Until those are also addressed, organizations will have to take a “leap of faith” as they navigate an SCA environment.
“I think it’s going to take another year before we really know what’s happening,” he said.