SCA is a new set of rules from the Financial Conduct Authority (FCA) to help protect customers from fraud when they are shopping online, UK Finance explains. With increasing amounts of purchases being made online, these new rules will help to ensure that customers are safe when shopping and their money is better protected.
The changes will mean that when customers buy something online, they will be asked to verify their identity, for example, through their banking app or a one-time passcode via text or phone call.
From 18 January card issuers started declining some non-compliant transactions, with all non-compliant transactions being declined after the 14 March deadline. Now that the deadline has passed, Daniel Holmes, fraud prevention SME at financial RiskOps platform Feedzai, offered the IT Security Guru readers some insights on the implications of SCA coming into effect:
One of the consequences of this change is that SCA will create additional friction and authentication requirements during the consumer check-out process. Despite some attempts to manage consumer expectations in the lead up to this change, it will take time for them to adapt to the new requirements.
While it is too soon to back this up with data, it is likely that SCA will create consumer confusion in the short term, potentially leading to an increase in abandonment as consumers react to the new user experience. Banks need to ensure their consumers embrace the new user journey if they want to keep their card ‘top of wallet’. To do this the banks must be savvy with several things, including:
- Being shrewd with exemptions. Being smart here enables payment players to mitigate one of the major SCA risks of too much-unexpected consumer friction
- Adopting leading-edge transaction monitoring and data technologies to only create challenges when necessary – a strong analytical strategy is key
- Resolving challenges quickly with a secure and user-friendly authentication strategy. Adoption of passive controls, such as device recognition and behavioural biometrics, could be key to maintaining a positive user experience. Those institutions that opt for multiple forms of overt authentication, such as SMS OTP and passwords, may find themselves quickly losing consumer confidence as they grow frustrated
What does the future for SCA look like? Only time will tell, but this is certainly not the end. SCA was introduced to tackle unauthorised fraud. Since the legislation was shared, the industry has seen a huge swing towards scams and authorised fraud. SCA may well inadvertently accelerate this shift, bringing down unauthorised fraud, but pushing up authorised fraud.
Furthermore, many businesses will have delivered their SCA strategy in a ‘tick box’ fashion, in order to hit the regulatory deadline. It is likely these strategies will mature and improve as consumer feedback is gathered and as banks observe best practices from around the industry.
Banks may begin exploring delegated authentication in an attempt to streamline the user experience. This practice enables banks to effectively outsource their cardholder’s authentication requirements to the merchant. Banks will of course require confidence that the merchant can execute strong authentication controls, and ensure that their cardholder remains secure as well as satisfied with the service they receive.