Brian Costello, VP Data Strategy, Envestnet|Yodlee
We currently feel nuanced and conflicted around SCA and its deadline. We’re supportive of its intent, which is to provide dynamic verification to the person initiating a payment or requesting data is authorised, but concerned over its implementation; which is asymmetrically applied without variable levels of consideration for risk. Our first concern as the deadline arrives, however, is around whether or not consumer know enough about it.
How will average consumers react when presented with SCA by their bank? Will they see this as an indication that there was an issue with their account or that their bank is not supportive of their use of third-party tools? We think many customers will, and subsequently not adopt the application or service they had originally chosen to help them; or existing users will abandon their application or service. These will lead to bad customer outcomes, which is exactly the unintended consequence the fintech industry has been trying to avoid since 2016.
We hope that institutions begin to provide helpful messages to their customers about the “how” and “why” of SCA-RTS via their digital channels, as well as have their customer service personnel and bots ready for questions from consumers who may have concerns. We also hope their operations can handle the increased traffic and issues that are likely to impact performance. The industry must continue to work with the FCA and OBIE to strike the right balance between consumer experience and protection aligned with the spirit and letter of the regulations.
Jonathan Jensen, Director of Identity Verification, GBG
Merchants need to work with their merchant acquirer to ensure they implement 3D Secure 2.0 by the due date. It’s vital that this implementation can also handle exemptions (such as low value transactions) correctly. Merchants need to be proactive on this, and hopefully after the extension to the deadline they are looking better placed to fully implement SCA.
One factor which will help merchants is the fact that online and mobile payments that are completed using Consumer Device Cardholder Verification Method (such as Apple Pay) are already compliant. That’s because they use the consumer’s mobile device (via Touch ID or Face ID) to authorise the transaction (or Touch ID on the latest MacBook Pros and MacBook Airs). This payment method is becoming more and more popular, so could help reduce friction for consumers. I recommend businesses encourage consumers to adopt this payment method to maintain a good user experience.
Despite getting everything in place and being fully compliant, the plethora of new authorisation methods used by card issuers will confuse consumers, and potentially lead to checkout abandonment. Card issuers may use SMS, email, or CVV (if it’s not printed on the card) as options. To avoid confusion, businesses should provide a clear notification to the consumer just before they hit the final checkout button, highlighting that they may receive an authorisation message.