Strong Customer Authentication (or SCA as it is known) was introduced as part of the European PSD2 regulations.
The concept behind SCA is simple: when consumers are authorising payments, they need to use two factors to authenticate themselves (unless the payment is covered by one of numerous exemptions) and those factors must come from two different categories of:
- Something you have (e.g. mobile device)
- Something you know (e.g. password)
- Something you are (e.g. fingerprint)
PSD2 and SCA has been on the agenda for ages. Initially planned to be live in Sept 2019, there have now been multiple delays as payment providers and merchants grapple with how to achieve and implement SCA.
The card schemes are implementing SCA with upgrades to their 3DS payment solutions. The problem with this is that it requires additional implementation effort for most merchants and, as with everything to do with the card schemes, additional costs. Visa recently introduced a new Verified by Visa authorisation fee.
Equally, as SCA is being implemented, this is leading to a retrograde customer experience on some payments. One merchant interviewed by Nuapay recently, indicated they were seeing 100% of transactions being stepped up to 3DS with one particular bank causing a large spike in failed payments. Another commented that the use of one time passwords via SMS for authentication was equally causing an increase in failed payments.
So is there an alternative?
In a word, yes.
Open banking provides an SCA compliant payment option for merchants straight out of the box – all managed by the PISP and the payer’s bank, without any action from the merchant.
With open banking payments, PISPs (like Nuapay) leverage the banks existing authentication mechanisms to have a payer authorise a payment. To do this, Nuapay connects with a payer’s bank using a secure connection and then redirect the payer to their internet or mobile banking portal. Payer then authenticates the payment in exactly the same way as he/she would normally log on to his/her banking application. For most payers in the UK, they benefit from a seamless mobile experience. Payer’s simply confirm the payment using the biometrics on their phone, thereby complying with the SCA criteria – something you are (fingerprint) and something you have (mobile device).
As well as being SCA compliant, Open banking has other benefits from a fraud and security perspective. With this authentication mechanism, payers are never sharing any of their credentials (e.g. account details or passwords) with the merchant or payment provider. Instead, this information is only ever transmitted directly with their bank. For payers, this significantly reduces the risk of stolen credentials or fraud on their account.
So while some customers paying via open banking for the first time may find it a little disconcerting to have their mobile App opening on their phone, it is potentially the most secure, and not to mention convenient, way to pay on your mobile today.