Since recommendations on payment security were first issued by the European Banking Authority (EBA) back in 31 January 2013, SCA’s journey has been a long and bumpy ride.
After a series of delays and push backs, SCA now has an unwavering enforcement date in the UK: 14 September 2021.
But there is an earlier deadline that all parties need to be aiming for: the UK’s SCA ‘ramp up’ period requires all parties to be ready by the end of May 2021.
This is a demanding deadline when considering the scale of transformation required. SCA represents more than just new regulatory requirements and processes; it demands an entire maturity of the e-commerce ecosystem. Over the past decade, the financial sector has seen huge developments in digital banking and authentication capabilities. Now it’s now the turn of the cards sector, which has seen many changes in terms of payment innovation, but less so in terms of wider risk analysis, decisioning and authentication.
The deadlines are tough to meet, and if SCA isn’t implemented correctly the impact on merchants – and on the end customer – could be severe. However, SCA also presents a great opportunity to transform the industry, making it fit for the future and enhancing customer experience.
Staying on schedule
The original 14 September 2019 deadline for implementing SCA was put back 18 months to 31 December by the EBA. In the UK, the FCA delayed the enforcement deadline further to 14 September 2021 due to the impact of the COVID crisis. However, organizations need to make sure they are ready well in advance of this date.
Athe end of 2020, UK Finance published a revised edition of the SCA Implementation and Ramp Up Plan which breaks the implementation down into three phases.
Phase 1 concluded at the end of 2020. In this, the development phase, all parties continued to build and undertake the BAU testing necessary for SCA compliance — soft-declines, flagging, 2nd factor authentication and so forth.
Phase 2 runs from 1 January 2021 to 31 May 2021. This is the market readiness phase, where merchants are building and testing activation for ramp up. All development will need to be completed by the end of this phase, and low risk SCA flows will need to be implemented by February 2021, followed by live testing as those flows are activated. This marks the beginning of the gradual ramp up.
Phase 3 is the full ramp up, running from 1 June 2021 to 13 September 2021. By this point, issuers and acquirers will need to have completed their activation of all SCA flows (including medium- and high-risk), increasing volumes gradually up to the go-live date.
The reality is that all parties need to be ready for SCA by the end of May 2021. The industry cannot afford a steeper ramp up, or worse a cliff edge when enforcement is introduced.
Challenge 1: SCA – and cross-industry awareness
The cards ecosystem is complex, bringing together organizations from across banking, payment, technology and merchant sectors. The Financial Services industry, supported by UK Finance, is driving cross-industry communications on SCA, but merchant awareness of requirements and timelines is still far behind the curve. This is particularly true for many small and medium sized merchants who, with the deadline fast approaching, risk losing out in the e-commerce sector to larger businesses who may be better prepared and able to offer a more seamless customer experience in the new world of SCA.
This also raises the point of needing to communicate and educate customers of the changes that they’ll be seeing. It is in the best interests of every organization, and its customers, to ensure that these communications are timely, effective and clear.
Challenge 2: choosing the right implementation and interdependencies
The SCA ramp up is issuer-led but there are interconnected requirements and dependencies that must be considered during implementation. Issuers themselves have a reliance on ACS providers to be able to initiate customer journeys. Gateways will need to be appropriately accredited for transactions to flow through technologies such as 3DS. Acquirers and schemes meanwhile need to help drive merchant awareness and readiness.
Some organizations are, even at this late stage, undecided on the approach they will be taking. Of those that have made a decision, many are experiencing challenges with implementation – either due to internal demands on delivery timelines or due to reliance on third parties for integration capabilities.
With little margin for error, it’s imperative that businesses select and implement the right technologies that will allow them to process authentication and authorizations. And importantly, provide the ability to robustly test these journeys against real-time data to ensure there is minimal impact to customer journeys.
Behavioral Biometrics and Orchestration – the SCA solution of choice
The solution of choice for a second authentication factor, as recommended by UK Finance and the FCA, is behavioral biometrics. Or to be more exact, the layering of behavioral biometrics with other circumstantial evidence.
This is something that Callsign has advocated for some time and we believe that this use of behavioral data ‘ensembled’ with additional insights is an essential part of any digital identification process. This is something I discussed as part of the UK Finance update in October 2020. This is a relatively new concept in e-commerce and one that requires proper understanding and implementation. It’s not something organizations can easily tackle on their own; strong industry collaboration and working with the right partners is essential.
More challenges are present in the form of exemption management and the introduction of soft-decline support. False declines — many of which are soft declines — are costly to merchants both in terms of money and customer. SCA will go a long way towards mitigating this but it will bring with it changes to customer journeys. Having the right orchestration and policy tools in place is the only way to ensure exemptions and declines can be managed effectively, without risking unnecessary friction for customers.
The window is closing – but it's not too late
Every business will be at a different stage of readiness. Some will be on track, finding some much-needed breathing room in the delays to SCA’s rollout. And a great many others will find themselves in a race against time.
For organizations who are unprepared for SCA, it is still not too late to make the deadline. It might seem like a daunting task; we understand that challenges are unique for each organization and can be exacerbated by other factors such as siloed processes or systems, or a reliance on hard-to-replace legacy architecture.
Callsign’s technology is designed to work with whichever systems a business has in place, providing robust behavioral authentication and orchestration solutions that fit seamlessly with your organization and ACS provider. By utilizing behavioral biometrics — the industry recommended authentication method, Callsign makes it possible to effectively and quickly implement passive authentication that provides high levels of confidence without negatively impacting the customer experience; on the contrary, it’s likely to improve it.
It’s been a long journey to get here. The final SCA deadlines are now within sight, and the right technology is available, right now, to make it a success for all concerned.