Payments world overlooking SCA

Open Banking, the General Data Protection Regulation (GDPR) and 3D Secure 2.0 dominate client conversations while Strong Customer Authentication (SCA) is not a priority despite the deadline for compliance fast approaching according to Sebastien Slim, director of Europe and Americas at global payment provider, HPS.

“SCA, they speak about it but they don’t necessarily ask us questions,” he said, speaking on the sidelines of the firm’s customer conference last week. “At least this is what we’ve been discussing with our clients and even prospective clients. The questions revolve around PSD2 and GDPR but not so much around SCA.”

Come September 14, SCA – a part of the second payment systems directive (PSD2) – will force banks to challenge all online transactions over £30 with further authentication required. This authentication will require two of three elements, something the customer is (inherence), something a customer has (possession), and something a customer knows (knowledge).

During the consultation period on SCA, banks – and their merchant customers – expressed their concern over the added friction in the customer experience, something Slim believes is not being explained to customers.

“You can draw a comparison to the rise of contactless,” he said. “We were asking customers for years to put in their PIN codes and all of a sudden we were telling them that their NFC chip was secure. That could happen to SCA when we’ll suddenly start asking customers for two factor authentication.”

It is not the first time card scheme rules have been at odds with regulation, according to Slim.

GDPR requires companies controlling and processing consumer data in Europe to delete data on the customer’s request, at odds with 3DS Secure: “GDPR requires banks to remove customer data while VISA and mastercard rules require you keep that data a period of time after the customer has left the bank. There’s a bit of contradiction around the two.”

3DS Secure, the norm for online payment authentication – and its latest version 2.0 – require an additional security layer as well as the ability for transaction data sharing to prevent fraud. It is mandated by the EMVCo card scheme.

The cost of breaching GDPR stands at either €20m or 4% of annual revenue and could prove as costly as $915m for Marriott international according to reports. While Facebook paid a fine of £500,000 for the Cambridge Analytica scandal under the Data Protection Act, the tech giant could face fines over £1.24bn under GDPR for its latest breach.

With no current standard, GDPR should emulate 3DS Secure or PCI to provide guidance to the industry, believes Slim.

“Ultimately, GDPR is applicable but we’d prefer actual certification so that it’s clear to everyone,” he said. “The key concern is that there is no kind of certification for GDPR. VISA and mastercard have rules to follow and you’re testing against that certification and at the end of which you’re certified.

“GDPR has no such standard, we’re asked to protect customer data and yet we have no way to demonstrate that we are doing just that. I don’t think you can live in a situation where you are asked to follow something without a way to demonstrate compliance,” he said.

Related reading