SCA in its simplest form requires that customers be identified through methods that fall into at least two of three categories: knowledge, possession or inherence. The first refers to KBA methods like passwords or PINs, but the latter two categories are where merchants and payment providers will need to get creative.
Possession and inherence bring consumers more heavily into the authentication process because both rely on information that only they have. Possession can refer to the chip inside of a physical debit card, for example, while inherence refers to things that are even more personal — such as fingerprints.
Online merchants could collectively lose approximately $57 billion in 2020 due to SCA adjustments. Merchants that wish to stay compliant should search for methods that fit the inherence and possession categories. These solutions fall into the inherence bracket and can be combined with KBA methods like one-time passwords, thus satisfying the standard.
One of the challenges yet to be faced is that only 25 percent of online merchants are aware of SCA, making compliance tricky for the remaining 75 percent. Another area of concern is that merchants are dependent on card issuers, which choose the verification categories and combinations consumers will need to meet when making online purchases. Merchants must therefore be prepared to support several verification and customer experiences.
Biometrics and authentication challenges
Merchant awareness and preparedness has been an ongoing issue since SCA was first proposed. Part of the confusion comes as a result of SCA being a legal requirement and not a simple card payment standard upgrade, which would trickle down to merchants via the card networks. Merchants will bear the brunt of the consequences from noncompliance, however. All transactions over €30 are subject to SCA, meaning that purchases can be declined if the consumer cannot provide proper verification. Biometrics is emerging as one of the innovative solutions to this problem in a variety of industries, including retail, travel and hospitality.
Some studies predict that 30 percent of payment authorization requests in the hotel industry will be declined under SCA. Biometrics may be able to lower that percentage by combining tools like voice recognition or TouchID into customers’ online purchases, ensuring that SCA standards are met. Hotels could also make use of digital wallets like Apple Pay that inherently authenticate payment through Face or TouchID, which satisfy authentication needs for the possession and inherence categories. The smartphone is in the customer’s possession, after all, and face or fingerprint scans fit inherent verification.
Biometrics also have the advantage of simplifying customer experiences. Customers can be fully identified by providing fingerprint scans alone, reducing user frustration while also meeting heightened authentication requirements. This could come in handy for those looking to prevent sales losses post-SCA. Regulators are also closely examining biometrics as the deadline moves closer.
The U.K.’s FCA is among the entities that believe merchants need more time to prepare for SCA, and has come up with an 18-month plan to address shortcomings. The plan will help retailers balance both security and customer convenience with authentication measures like mobile text messages and biometrics in mind. Customers are already used to authenticating with their fingerprints to gain access to mobile banking apps or unlock smartphones, but it is unclear how acceptable this process will be for eCommerce purchases.
Merchants that wish to use biometrics still need to confront several problems, including that issuing banks and card acquirers will be the ones determining proper authentication methods under the rule. This puts the problem of biometric innovation on the shoulders of banks and payment providers.
SCA and the awareness problem
Merchants and their partnering payment services will need to make sure that their chosen authentication methods measure up to customer preferences. They will have to determine whether customers prefer facial scans or fingerprints, for example, and see how these tools fit in with the methods users already prefer.
Merchants that want to have a say when it comes to customer authentication will need to work quickly, though. The lack of awareness about the regulation, its exemptions and its noncompliance consequences remain the most significant barriers. Those that want to succeed in keeping customers engaged and safe will need to confront the complexities of SCA as quickly as possible.