Strong Customer Authentication (SCA) deployment keeps getting more complex for both merchants and card holders. As a result the UK Financial Conduct Authority issued another six month delay. This article, which is worth a read, looks at SCA primarily from the merchant’s perspective but also identifies how banks add more complexity.
As a user, my complaint is the lack of a standard user interface for challenges. I’ve felt the increase in challenges and the lack of consistency is frustrating. Once I enter my user ID and (strong) password I increasingly get one of the following challenges (listed from the most frustrating to the least):
- My bank calls my mobile and a drunken sounding women reads off 6 numbers I enter in my browser.
- My company’s customer management solution uses an authenticator app on my phone that gives me six numbers I enter in my browser.
- One Time Passwords jam my email and mobile SMS which I enter in my browser (and this isn’t even a secure method).
- CVS pharmacy app challenges me with my mobile phone’s biometric.
- Some sites send me an SMS messages that I only need to tap.
I often abandoned transactions because the transaction isn’t worth the effort; but I still get angry at the inconvenience. If this insanity doesn’t coalesce around one type of challenge I expect the current 14% of browser and 25% app-based abandonment rates identified in this article will increase and none of the participants will be unhappy. This article provides a concise review of where we are today in the rollout of SCA:
“On one hand, Strong Customer Authentication requirements are projected to help defend consumers throughout the EU against more than one billion euros in annual losses resulting from online fraud. At the same time, preliminary data finds that the requirements may cause a substantial uptick in friction.
As outlined in a new whitepaper published by Fi911, SCA standards could be used to verify only 76% of browser-based transactions, and just 48% of app-based ones. Requirements also prompted 14% of browser-based shoppers to abandon a purchase; for app-based shoppers, the figure rose to one-quarter of shoppers.
Other concerns about SCA adoption persist as well. For example, there will be some confusion, at least at first, regarding liability and applicability in different regions. The same goes for different transaction types and product verticals, some of which will be exempt from SCA rules.
Finally, we should also keep in mind that not all fraud is a form of payment fraud. SCA requirements have no effect on tactics like friendly fraud, return fraud, and triangulation fraud.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group