“Unless the education has been really clear and consistent, confusion can pave the way for fraudsters to exploit the situation.”
With the news today that Strong Customer Authentication (SCA) enforcement has been extended a further 18 months, we spoke to Jackie Barwell, Director of Fraud Product Management at ACI Worldwide, about what SCA entails, the risk of fraud around its implementation, and whether it will “kill” one-click shopping.
How will 2FA Work for Consumers when SCA is Introduced?
Any future transaction that requires SCA will have to satisfy two of the three ‘elements’ dictated to be satisfactory authentication methods.
In other words, two of the following: something you are (e.g. biometrics); something you know (e.g. a password or PIN; this excludes one-time passwords sent to a device) or something you have (e.g. the device itself confirmed with an OTP or token).
Today, if further authentication is required when a customer conducts an electronic transaction (for example by shopping online), they will typically be required to complete 3D Secure procedures.
For example, by entering three out of eight elements of a known 3DS password. Post SCA deadline, that will no longer be sufficient; and the consumer will be asked to provide an additional element of authentication.
They may, for example, be able to utilise biometrics on their mobile phone (set up through their banking app), or they may be sent an OTP in order to enter that on top of the 3DS password.
You’ve Warned About the Possibilities for Fraud as this is Rolled Out. What’s the Concern?
As with any change in the way we pay or shop, unless the education has been really clear and consistent, confusion can pave the way for fraudsters to exploit the situation. If a consumer is confused about the sudden increase in requests for additional authentication (using methods they’ve never had to provide before) they could look for an explanation for this.
Fraudsters could create this explanation by, for example, sending an email which looks like it’s from a bank or merchant telling consumers that there’s a glitch in the system which they can correct by sharing XYZ personal information.
Because of this, clear consumer education is paramount; and highlighting what a bank or merchant will not ask for is just as important as clarifying what they actually will be asking for.
Is Online Shopping Still Going to be Friction-Free, Post-SCA?
I believe that a friction free shopping experience is still possible – but perhaps not in the way it has been described in the past.
When required, there will be a need to provide additional authentication. But if everyone is aware of the new rules, and are prepared for the next ‘authentication’ request, then why would they view these new steps as ‘friction’? If the right measures of understanding are put in place now, then it will all become natural very quickly.
What will cause friction, however, is a lack of a consistent approach to SCA by individual issuers. If consumers don’t know from one card to another what their ‘next request for authentication’ will be, it will cause anxiety, confusion and of course become a headache – which is definitely not frictionless.
Who should be responsible for educating consumers? Banks? Retailers? Regulators? Or a Combination of them All?
All parties have a stake in SCA becoming a success, and they should all play a part in customer education. At the end of the day, the aim is to reduce the possibility that our desire for convenience is compromised by fraudulent activities. If we want this to work, then we must all strive to ensure the education is there. I see consumer education as requiring a three-fold approach:
Firstly, e-commerce retailers need to let their customers know that in order to maintain the level of convenience they want, they’ll need to be prepared for requests for additional authentication.
The banks should tell consumers that their desire for convenience as well as their cash can be protected, but with the addition of security measures designed to keep any fraudsters from taking advantage of their shopping habits. This means they need to tell consumers what to expect, and be ready for that request.
Finally, it would be great if the regulators could work with governments to provide widespread education on the new laws using popular methods such as TV advertising, or mass produced and delivered leaflets; very similar to the UK’s approach to educating the general public around the introduced of chip and PIN for in-person purchases.
If we all play our part in educating the consumer, then we can limit the confusion that could either be exploited by fraudsters or put people off from conducting e-commerce transactions going forward.
Are Big Ecommerce Sites Likely to Negotiate a Special Deal around SCA? If Not, Does that Signal the End of “One-Click Buying” for Amazon, et al?
If the whole purpose of introducing these new measures is to increase safety around e-commerce transactions, then why would big e-commerce sites like Amazon be treated any differently?
Merchants who are able to demonstrate that they conduct effective Transaction Risk Analysis (TRA), and can determine when a transaction is considered ‘low’ risk or not, will likely be able to have SCA exemptions applied to those transactions (if the transactions are below specified financial limits).
This will, however, need to be combined with the individual issuer and acquirer’s own fraud prevention and detection performance too.
For all merchants, under SCA it becomes ever more important to ensure they have strong fraud prevention and detection methods in place that allows for effective TRA. And crucially, that they can demonstrate this. Using their results, these companies can communicate with the issuers and acquirers to ensure they are aware of their strong fraud prevention strategies.