Lack of clarity from regulators hampering moves to make strong customer authentication a reality, says Aspect
PSD2 SCA requirements will be implemented soon, but a lack of direction is making balancing security and the customer experience difficult.
As the second Payment Services Directive continues its roll-out, regulations making it obligatory for organisations to implement strong customer authentication (SCA) in online payments will come into force on 19 September this year.
Despite the proximity of this new requirement, regulators have still not made clear what the most effective way to implement SCA is, in a way that does not compromise on customer convenience. This points to a need for greater collaboration between key players in the industry, as well as a concerted effort by businesses to shore up the methods through which SCA will be managed.
In short, SCA means adding additional authentication factors to online payments, in order to better protect customer data and reduce the risk of fraud. The key challenge for customer-facing businesses here is how to achieve this without damaging the seamless experience that customers have become used to, such as one-click ordering.
Due to a lack of clarity from regulators on how best to proceed, the only viable solutions at present are SMS or mobile app-based authentication. There are two big hurdles to overcome here: find ways to better secure these channels, and redouble efforts to come up with new solutions to maintain a positive customer experience.
Keiron Dalton, Global Program Senior Director at Aspect, said: "SCA is clearly crucial if we want to be serious about data security. Unfortunately, the current focus on SMS and app-based push notifications doesn't quite hit the mark as we would like it to. SMS is vulnerable to compromise, with hackers being able to employ techniques such as unauthorised SIM swap to gain access to personal data. Mobile app penetration, meanwhile, still has some way to go before we can assume that everyone is using it.
"The last thing that companies want to do is sacrifice certain elements of the customer experience in order to bring SCA to the fore, so action needs to be taken by all involved to come up with improved, more effective means of authentication."
To remedy the situation, Dalton believes input from regulators needs to be clearer and more decisive, and that a more productive, collaborative relationship between bodies such as the Financial Conduct Authority (FCA) and customer-focused businesses needs to be fostered. At the same time, businesses themselves need to prioritise the implementation of cyber security practices and software that can nullify the vulnerabilities of authentication methods such as SMS.
He added: "PSD2 is a critical directive for any company handling online payments, so it's vital that meeting its requirements is as straightforward as possible for everyone involved. This means both regulators and businesses working together to break out of the inertia that has permeated the approach to SCA adoption so far. With solid commitment and a clarity of vision from both sides, this is very much achievable."
He concluded: "At the same time, businesses need to give serious consideration to implementing comprehensive fraud detection software that is adapted to the methods that are, and will in the future, be used for bringing SCA to online transactions. These technologies should be able to detect flaws, vulnerabilities and threats across a range of channels, enabling organisations to react accordingly. Crucially, they should also be able to operate in a fully transparent manner, in a way that minimises impact on the customer experience."