Strong Customer Authentication: Keeping you up to date
Paul Rodgers gives the latest update on Strong Customer Authentication and how these changes will impact fundraisers and charities.
A lot has happened in the past 150 days since the Strong Customer Authentication (SCA) regulations were to become effective on 14th September 2019!
Just in case there is still anyone out there who hasn’t picked up on the challenge that SCA is presenting to retailers and merchants across all categories including charities and third sector organisations, perhaps a little bit of background would be useful.
The new Strong Customer Authentication (SCA) regulations are designed to reduce fraud in the e-commerce, mobile, and remote payment ecosystems. The challenge, when these regulations were drafted, was that little thought had been given as to how to provide the two-factor authentication required for card issuers to be compliant. This risked (and continues to risk) both the integrity of the online card payments ecosystem and economic growth that has powered the European economy for over two decades.
The two factors can be drawn from three elements: knowledge, possession, or inherence; often described as something you know, something you have or something you are.
For online payments, we now know that the ‘supervisory flexibility’ extension that the European Banking Authority (EBA) first introduced in June 2019 will come to an end on the 31 December 2020. That is, except in the UK where the Financial Conduct Authority (FCA) has confirmed that it will still work to its original proposed deadline of 14 March 2021.
Most of the focus since September has been on the challenge that the online payments world will face and the work that has been progressing with SCA Programme Management Office (SCAPMO) is beginning to gather pace and more information continues to emerge on a weekly basis.
It shouldn’t go unnoticed that SCA will also affect the face-to-face environment in the form of more frequent step-up authentication in contactless transactions. That step-up will usually take the form of a requirement to insert the card and perform a chip & PIN transaction which will have the effect of resetting both the value and velocity counters. Those step-ups will begin in earnest from 14th March 2020 so charities should watch out for the first step ups on contactless payments within the next few weeks.
Contactless donations should not be affected! I’m sure you will remember that, in collaboration with the Institute of Fundraising, charity payments solutions providers and card schemes we achieved a ground-breaking and farsighted concession from regulators in early October 2019 to ensure that contactless charitable donations would be unaffected by SCA.
The Financial Conduct Authority gave the following statement at the time:
"We are aware of concerns within the charity sector that the new requirements on SCA may lead to disruption in the existing use and future growth of contactless donations. Due to the social benefit of contactless donations, and the associated low risk of fraud, we strongly encourage card issuers and acquirers to continue to work with the charity sector to ensure that contactless donations are not disrupted due to the new SCA requirements.
“Contactless charitable donations are typically made using offline terminals without functionality to support PIN entry if a transaction is stepped-up for authentication. The introduction of SCA does not mean that these terminals need to be replaced. The industry may continue to process those payments as they currently do now, including by deciding to decline some of these transactions after the event.”
The full text relating to other contactless payments, including the period of flexibility ‘deadline’ of 14th March 2020, can be found here.
If you do find that you are experiencing difficulties, with contactless donations being forced to step up unnecessarily for two-factor authentication (chip & PIN), it will be worth reporting this. I will be pleased to flag this to payment card issuers, acquirers, payment gateways and the Financial Conduct Authority. Please report any anomalies, with as much detail as you can provide, to: email@example.com.
Good luck with your fundraising and payments acceptance journey. I hope that these new regulations will not hamper your inability to raise funds for great causes.
You can keep in touch with Paul’s updates on SCA on LinkedIn by following the #SCAday tag or by connecting with and following Paul on linkedin.com/in/paypaul
Paul Rodgers is Chairman of Vendorcom, and a Panel Member of UK Payment Systems Regulator and a European Payments Evangelist, World Wide Web Consortium (W3C).
Sam Boyle, IoF Policy and Information Officer, wrote a blog with updates on Strong Customer Authentication in August 2019. Read his blog here.