Lessons for Aus as Europe sets SCA compliance deadline


The European Banking Authority (EBA) has set December 2020 as the deadline for payments providers to migrate to strong customer authentication (SCA) for e-commerce card-based payment transactions.

The SCA mandate, which forms part of Europe’s Second Payment Services Directive (PSD2) directive, will require national competent authorities – member state-based agencies charged with implementing EU regulations – to ensure a “consistent approach toward the SCA migration period” for all payment service providers.

SCA, a multi-factor security regime largely designed to prevent ‘card not present’ fraud, requires merchants or payments facilitators to build at least two out of three points of authentication into their checkout flow – often simplified as ‘something known, something owned, and something that belongs to you’; for example, a customer’s PIN, a hardware token, and/or a biometric fingerprint scan.

Under SCA provisions, banks must decline payments that do not meet these basic authentication criteria.

SCA currently applies to ‘customer-initiated’ online payments within Europe, and is now a requirement for all bank transfers and contactless card payments; however, all other in-person card payments remain excepted from SCA.

During an initial industry consultation to assess a viable timeframe for the implementation of SCA, the EBA found the suggested 18-month deadline corresponded with the prospective rollout of 3DS Secure 2 – the primary card authentication method used to back SCA.

Known as “frictionless authentication”, 3DS Secure 2 updates the widely adopted 3DS Secure 1 standard (in place since 2001), which will now require merchants to send quantifiable data elements to the cardholder’s bank, such as payment-specific data or customer transaction histories, to verify the transacting party.

Credit card providers have so far led the implementation 3DS Secure 2, rolling out several proprietary schemes including Visa Secure, Mastercard Identity Check, and American Express SafeKey.

While European authorities have yet to set to a definitive deadline for mandated 3DS Secure 2 implementation, many expect it to be fully enforced by the end of 2020.

While similar schemes have been proposed locally, Australia has yet to mandate a comprehensive multi-factor authentication for payments facilitators.

Many, including the Australian payments industry’s self-regulatory body AusPayNet, have endorsed SCA an important mechanism to tackle skyrocketing rates of card not present (CNP) fraud in Australia.

AusPayNet said its CNP Fraud Mitigation Framework “parallels PSD2, in that both endorse SCA as best practice to authenticate transactions”, however, it stresses, “there are key differences”.

“While PSD2 mandates SCA for all transactions and considers certain exceptions, the Framework only requires SCA for those merchants and issuers whose fraud rate is consistently in breach of agreed thresholds,” it said.

These thresholds include merchants operating above AUD $50,000 in fraud losses and a fraud-to-sales ratio of 0.2 per cent for two consecutive quarters, it said.

CNP fraud last year accounted for 84.8 per cent of all fraud on Australian cards, AusPayNet stats reveal, with online card fraud increasing from $418.1 million in 2016 to $476.3 million in 2017.

As of September this year, SCA became a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area.