Under the new rules, payment service users must use two of three factors to authenticate themselves when accessing data and giving payment instructions. The three factors are possession, knowledge and inherence. In other words:

• something you have (like a mobile device)
• something you know (like a password) and 
• something you are (like your fingerprint)

When put like this, it’s not overly complicated. We as consumers are used to verifying certain transactions with two factors. However, its transition into day-to-day reality has not been so easy.

There has been a contentious debate in the card sector because increasing friction in the card payment experience is likely to lead to abandoned sales. This impacts merchants, who have no control under these rules as to whether or not SCA should be applied. As a result, stakeholders have been reluctant to develop the necessary software and hardware changes, to the extent that the European Banking Authority (EBA) agreed to extend the implementation deadline. 

No one can deny that the rationale behind PSD2 was good. It aimed to spur innovation in the financial services industry in Europe, whilst advancing the fight against cybercrime - especially for ‘card not present’ purchases in a booming e-commerce market. Yet, even at this early stage, we can see that vital changes must be made to improve SCA for all involved. I believe that in ‘unlocking’ SCA in the card not present payment scenario, we could simplify the process and provide a great business opportunity to a wider market.   

Prior to the SCA requirement under PSD2, merchants had a certain level of discretion as to whether or not they would require further authentication from customers before accepting their payment and handing over the goods.

This proved useful, for instance, where merchants pride themselves on the ease and speed with which they enable consumers to make purchases. The cost to the merchant for this benefit is the risk they take if something goes wrong with the transaction. Under PSD2, the merchant no longer has any control over whether SCA is applied or not. SCA doesn’t always have to be applied; there are nine exemptions listed in the legislation, but it is up to the customer’s card issuer to decide whether an exemption can and should be applied. 

Looking ahead, I believe PSD3 should unlock SCA by rebalancing the control between merchants/acquirers and issuers, and allowing the well-established chargeback system to play its role in keeping merchants and their acquirers honest in their responsibility to fight fraudulent payments. A good example of how this could work in practice is for merchants with recurring customers who have created an account: SCA could be applied once, perhaps to register, but not to every subsequent transaction. 

As I mentioned above, PSD2 brought payment initiation service providers (PISPs) and account information service provider (AISPs) into the scope of regulation. Yet payment initiation and account information services have not been the norm in the UK. While some 50 new players have become authorised in the UK as PISPs, and 150 have registered as AISPs, consumers’ use of and familiarity with their services still remains low. 

The European Commission sees PISPs as a viable alternative to card usage in e-commerce. A large merchant could become a PISP and offer customers the opportunity to pay directly from their bank account rather than use their card.

From a customer’s perspective, however, paying from their account could be just as much of a headache as paying by card, since responsibility for the authentication lies with the payment account provider, known as the account servicing payment service provider (ASPSP). Therefore, the customer has to use the PISP’s app to initiate a purchase, then use another banking app from the ASPSP to complete the authentication. This is not particularly “frictionless”, and is frankly quite worrying from a user journey perspective. Instead, allowing the PISP to take responsibility for the SCA challenge would be helpful.  

If merchants or PISPs were given the option to perform the SCA challenge themselves, how could an ASPSP trust the challenge? One would need an independent authority that could set the SCA standards, audit the SCA process and deliver compliance, in much the same way as the Payment Card Industry Data Security Standard (PCI DSS) currently does. 

On the one hand, and since trust is paramount here, mechanisms would have to be invented to create such trust throughout the process. On the other, existing systems could be leveraged, such as eIDAS - Electronic Identification, Authentication, and Trust Services - an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. Card issuers or ASPSPs could then whitelist merchants and PISPs that are accredited, or implement further controls if accumulated payments reach a certain threshold. This would be a new service, as well as a way of sharing the responsibility again when it comes to fraud and chargebacks. 

All this seems rather complex to put in place for a few PISPs, but I believe this would be a crucial first step. Unlocking SCA would present an enormous opportunity as it could be sold as a new service outside the financial world and could help build a Digital Single Market. 

Yes, ASPSPs could sell this new service outside the financial sector. 

The final missing piece would be for banks and SCA providers to offer a digital identity. Many European countries – such as the UK or France – have initiated government-run ID programmes, although the market adoption of these is still very low.

The Nordics, on the other hand, have succeeded with similar initiatives around BankID-like projects. When governments in the Nordics saw customers trusting banks not only with their money, but also their digital identity, they saw an opportunity to leap into the digital arena.

BankIDs – or the equivalent – are owned by the banks of each country in the Nordics (Norway, Denmark, Sweden and Finland), but the use has extended to government services and others that require ID authentication. In Sweden, more than half the use of BankID is from outside the financial sector.

Such a combination between SCA and digital identity would be very useful when a merchant needs to know who they are selling to. For instance, this service could be used to check that a person is above the legal age to access a service, it could automate the process of buying or renting an apartment and could even secure access to your company email. In the financial industry, it could be used to manage insurance agreements, communicate with the government, onboard new customers (KYC) for your service, and make it easier for challenger banks to open new accounts. 

Business to business (B2B) would be another major beneficiary of this new service, as there are many ways to defraud a company. One common method is by changing the contact information regarding an invoice. An invoice from a vendor is intercepted by a fraudster, who changes the beneficiary account number and then forwards the invoice to the correct recipient. Using an SCA challenge would prevent this. 

So, although SCA is seen by the financial services industry as a hurdle and an extra cost, if handled properly in PSD3, it could accelerate innovation in the financial industry and other sectors, creating new businesses and new opportunities. The first responsibility of the EBA should be to lay the foundation for an unlocked SCA in a future PSD3, allowing SCA to develop outside the EBA and the financial sector to become the cornerstone of the Digital Single Market.

— — —

‘This article is part of a collection from the EPA's whitepaper 'The Future of Payments Regulation: Voices of the EPA'. The whitepaper has been written by myself and fellow members of the EPA's Project Regulator as we hope to start an important discussion on the future landscape of payments legislation. To download the full document hot off the press click here.