Vendorcom Chairman, Paul Rodgers has accused the European Commission of acting to undermine European eCommerce. His allegation refers to a letter from Executive Vice-President of the European Commission, Valdis Dombrovskis.
In that letter, which was sent to several organisations, Dombrovskis has made it clear that the December 31, 2020, deadline for implementing Strong Customer Authentication (SCA) will remain. Rodgers and others had previously written to the European Commission looking for an extension of the SCA deadline by six months. Such an extension would have brought it closer to the new deadline set by the UK FCA of September 14 2021.
In a statement, Rodgers says: “Whilst I recognise the need for clarity following the disarray that has been triggered by eight months of silence from the EBA, last week’s intervention by the EC has been unhelpful. It further demonstrates the ignorance of Europe’s regulators in dealing with payments matters.
“The rationale that Dombrovskis puts forward cannot be based on a logical assessment of the facts. It presents several non-sequitur statements and unsubstantiated assertions and is, in places, self-contradictory. It also fails to reflect the impact of COVID-19 has had on ALL stakeholders in the payments ecosystem, seeming to suggest that the reason that merchants are asking for a further extension is solely due to merchants lack of current capacity to meet the current timeline. Banks, acquirers, processors and gateways are all up against it as well!
“This now creates an unsustainable divergence of the UK and EU/EEA position on the enforcement of compliance which will leave merchant businesses with cross-border trade with no option but to aim for the earlier date. Achieving this date is something merchants have no control over as it is almost entirely dependent on the approach and timeline of banks/card issuers who, themselves, are not universally ready to offer compliant, market-ready solutions.”
What is this all about?
Strong Customer Authentication is part of the European Payment Services Directive (PSD2). It is designed to protect people buying online from the risks of fraud. Purchases over a specific limit, currently €30, will have to use multi-factor authentication. For most retailers, this will be handled by their payment provider.
For consumers, it means having a way to respond to verification checks. The most likely method will be a one-time code sent to their mobile phone via SMS. The consumer would then react to an onscreen check with that code to authorise the transaction. It is a proven approach that is already in use by credit card companies and banks.
Another option is to use the built-in biometric technology on mobile phones. It would work well for mobile purchases but would require a little extra coding if the initial purchase is made via a PC.
The Dombrovskis letter
Dombrovskis was responding to a letter sent from three organisations, EuroCommerce, Independent Retail Europe and eCommerce Europe. All three organisations asked for: “full consideration be given to granting a harmonised extension to the current deadline of December 31, 2020, for the migration to SCA, in order to allow businesses to focus on keeping their businesses running as efficiently as possible.”
Dombrovskis replied: “The EBA already addressed some of this operational challenges through its statement of March 25 2020, lifting the first deadline for national competent authorities’ obligation to report by March 31, 2020, on industry’s readiness to meet the Strong Customer Authentication requirements for ecommerce card-based transactions.”
Additionally, Dombrovskis said: “I would like to stress that rules on Strong Customer Authentication have been known to the market since at least November 2017 and clarified at multiple occasions by the EBA, either with targeted guidance or through its Q&A tool.”
Having said all that, Dombrovskis also pointed out that the deadline had been moved even further out to December 2020. It was, he said, to: “allow national competent authorities to exercise some flexibility in their enforcement until December 31 2020.”
Rejecting the case for a delay caused by COVID-19
COVID-19 has changed many consumers buying habits. Unable to go in-store to buy goods, they have relied on the Internet. At present, there are no figures from the payment industries to say if this has increased fraud and, if so, by how much.
It is that change of buying behaviour that Dombrovskis sees as a driver for the introduction of SCA as early as possible. That means, no later than the previously agreed December 2020.
He writes: “The Covid-19 pandemic has increased the volume of e-commerce and consequently of online payments. It can be expected that many EU consumers will maintain these new payment habits. This would call more than ever before for robust and innovative strong authentication methods. Delaying them further could undermine customer trust in ecommerce, and slow down the deployment of new and innovative state-of-the-art authentication methods in the EU.
“EU rules on strong customer authentication have been designed in a balanced manner, with appropriate exemptions, thereby ensuring a smooth and convenient customer journey while combatting online fraud. We should all prepare for and look forward to their full introduction on January 1 2021.”
Silence is not golden – at least from Rodgers perspective
In Payments Review Weekly, Rodgers went on the attack over what he sees as radio silence by the EBA and the impact of politics on decision making. In his attack on the EBA, he wrote: “It’s just crazy that the European Banking Authority has not made any public pronouncements on SCA since October 16 2019. It is 226 days since it last issued one of its official ‘opinions’ on SCA and I think the EBA needs to come out of the closet and say what its intentions are.”
“The lack of clarity is creating turmoil in the pan-European merchant payments sector and, in particular, ecommerce. I know there are private meetings going on with the National Competent Authorities across Europe but that’s not good enough; they need to take a public stance.”
“I’m now calling on the European Commission to intervene as I think that only the Commission can now take charge and bring resolution to the impasse that the EBA is precipitating.”
Rodgers also comments in what he believes are the politics involved. He said: “The EBA is either just trying to be a heavy-handed regulator and demonstrating that it is the organisation with the teeth and the controls with no empirical basis for its decisions and in denial of the facts and market reality.
“Or, it’s a case of, well, the UK has gone for a sensible 18-month delay, but we can’t be seen to do what the UK has done because of Brexit. I’m sure that such a political stance would be denied but, since there are no good reasons not to align dates, the true motivation will remain open to interpretation. I hope that the Commission will now hold the EBA to account.”
Five things that could help solve this problem
Rodgers believes five things can improve the implementation of SCA. They are:
SMS, one-time passcodes (OTP) HAVE to go; Rodgers says that SMS one-time passwords are insecure and exclusionary and should be replaced.
Time to find better security solutions; An alternative that Rodgers would like is more use of biometrics and behavioural biometrics. However, as he admits, these can be just as exclusionary as SMS one-time passwords.
Smooth the way for eCommerce; Rodgers solution to removing barriers from eCommerce is better relationships between retailers and customers, including loyalty measures. He believes this will make customers spend more time online with retailers.
Beware the fraudsters; Ironically, Rodgers accepts that delays to SCA, such as that from the FCA, will favour fraudsters. That hasn’t, however, stopped him from wanting the whole thing delayed. Rodgers does call for a fresh look at the fraud and analytics tools that are used. Given the amount of money being spent with FinTech and FraudTech start-ups, that is a process already underway.
Working together to find a way; Rodgers wants regulators to adopt a more collaborative approach to solving this problem. Ideally, he would like UK Finance to take control of this programme of work, something that is unlikely to be acceptable to the rest of Europe given the UK is scheduled to leave by January 1, 2021.
Rodgers also writes: “It’s about monitoring the readiness of the market, not just in the deployment of technical solutions but in the adoption of those solutions by the end consumer.” However, consumers are already using the admittedly flawed solutions and are likely to adopt anything that improves security. What they can’t do is adopt something that hasn’t yet been delivered.
Enterprise Times: What does this mean?
As Enterprise Times pointed out in its previous coverage of SCA, this is not about adoption by consumers, but the ability of the payments industry and retailers to deliver. Take the example of the well-publicised increase of contactless payments in the UK to £45 at the beginning of April. It was a farce. It took some large retailers weeks to update software, something they could have done in advance.
COVID-19 is a convenient excuse for delays in development, but that hasn’t stopped other parts of the technology industry from developing and delivering new solutions. If Rodgers believes that the problem is delays due to the manufacture of physical components because of supply chain issues, then he needs to say so.
To avoid exclusionary solutions, Rodgers also wants better relationships between retailers and customers. However, every week brings news of retailers suffering data breaches due to inadequate data security. Getting customers to trust retailers even more and give up more data as part of that relationship will take considerable effort. Additionally, the way customer data is gathered without sufficient regard for consent is also a barrier. It is not about politics. It is about the way businesses choose to behave. Addressing that would show some balance rather than making this a purely political issue.
Issues over SMS OTP have been around for a long time. There is any number of attacks on mobile phones that allow fraudsters to intercept these messages. Current solutions to this include the use of authenticators from multiple vendors such as Microsoft, Google and Apple. These still fail the exclusionary test that Rodgers applies, but they are better than SMS OTP.