The Financial Conduct Authority (FCA) has delayed the implementation of Strong Customer Authentication (SCA). This is the second delay is has authorised. Last year, the FCA extended the deadline to March 2021. The new deadline is September 2021. It gives e-commerce firms another six months to build, test and deploy a compliant solution.
The press release from the FCA reads: “In the exceptional circumstances of the Covid crisis, we are giving the industry an additional 6 months to implement strong customer authentication (SCA) for e-commerce. This will minimise potential disruption to consumers and merchants. The new timeline of 14 September 2021 replaces the 14 March 2021 date.
“Firms are required to take all necessary steps to comply with the revised detailed phased implementation plan and critical path to avoid the risk of enforcement action.”
What is SCA?
SCA is part of the European Payment Services Directive 2 (PSD2). It provides an online equivalent to chip-and-pin processing for cardholder-not-present payments. The goal is to reduce the opportunity for criminals to make online purchases using stolen credit card data.
It means that any consumer making a purchase over €30 (£26.50), will need to use multi-factor authentication. The most likely implementation of this would be for purchaser to get a verification code to their registered mobile phone. They would then input that code into the website to authorise the transaction. There are other alternatives to this. For mobile phones, the user can authenticate the payment using built-in biometric technology.
FCA makes UK Finance responsible for the implementation
The FCA has said: “We expect UK Finance, as coordinator for the industry, to discuss the detailed phased implementation plan and critical path with all stakeholders and agree it with the FCA as soon as possible. In the meantime, firms should continue with the necessary preparatory activities such as robust end-to-end testing.
“After 14 September 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action.”
There are several challenges for UK Finance to deal with here. It will need to agree on a standard testbed with all the various stakeholders involved. This ranges from those providing payment services such as Stripe, PayPal and WorldPay to the actual credit card companies such as American Express, Mastercard and Diners Club International.
Each has to deliver different components of the technology for testing, and all believe that the original timescale of December 2020 was too tight. This new timescale will give them more time to solve problems, and UK Finance will expect them to deliver.
Another challenge is the tens of billions of payments that are still not SCA-ready. Charles Damen, SVP product strategy, Worldpay Merchant Solutions, FIS, was quoted in Finextra as saying: “The manner in which payments are processed needs to fundamentally change ahead of a revised SCA deadline. Over 70 per cent of payments processed today are not compliant with SCA so there is much for merchants to do in becoming “SCA-ready” well in advance of this deadline.”
Delay after delay helps cyber criminals get away with fraud
PSD2 was passed in 2015, and countries were given time to incorporate it into local laws and regulations. The effective date for PSD2 was January 2018. From that point, banks and other financial services institutions had 18 months to update their systems. On 14 September, 2019, PSD2 came into full force.
The European Banking Authority (EBA) published an opinion saying that organisations were unprepared for SCA. Its published opinion led to regulators granting a delay until December 2020. That date has been moved again but will this be the last time it gets moved?
According to Jake Moore, Cybersecurity Specialist at ESET: “This move is desperately needed to help combat the amounts that hackers are constantly getting away with, so ultimately every delay will have a huge amount of stolen money attributed to it. However, it is quite understandable why the delay is occurring as we notice the cyber gold standard on hold for a few months.
“2FA will not only help protect millions of accounts, but this introduction is also likely to act as education to millions of users and help them understand that these precautions are highly important. The ease at which people will be able to use this initiative will hopefully train people into using this function for other online accounts too, thus forcing other accounts to be better protected.”
Enterprise Times: What does this mean
SCA is meant to protect consumers and is long overdue. In July 2018, Mastercard accepted that SCA would see up to 25% of online payments requiring biometric security from September 2019. That date has passed and the target has been missed. Now Mastercard and others have another opportunity to implement SCA properly. But will they?
Retailers are also guilty of dragging their feet when it comes to implementing new technology. The limit on contactless payments increased to £45 at the beginning of April. However, it took supermarket chain Sainsbury’s 21 days to update its stores. This was despite it having plenty of notice of the change and an opportunity to act sooner.
Delaying SCA once due to complexity, could be seen as being prudent. Using COVID-19 as an excuse for not being able to design support for SCA into systems makes no sense. There are several organisations delivering updates to their software in the current environment. Developers and test teams are quite capable of working from home.
Allowing organisations time to implement complex legislation is commonplace. However, there is the smell of GDPR about this situation. Despite having two years to enact the rules, a large number of organisations left it to the last minute. It meant a lot of small and mid-sized organisations were still not compliant with the law when it came into force.
SCA seems to be heading for a repeat of that process. It is time for regulators to be more stringent and stop this constant creep of implementation dates.
