- Security TWENTY
- Women in Security Awards
The date by which e-commerce businesses in Europe must be compliant with the revised Payment Services Directive (PSD2) has been a cause for much debate. Specifically, it’s the strong customer authentication (SCA) aspect of the regulation – requiring a two-factor authentication process for all online purchases over 30 euros – that has been a continuing topic of conversation with regulators and businesses alike, writes John Cannon, managing director of fraud and ID at TransUnion in the UK.
The requirement for SCA came into force in September 2019 but the European Banking Authority (EBA) approved an implementation period giving organisations across the European Economic Area (EEA) until December 31, 2020 to fully comply.
Given the state of readiness throughout the industry, this was welcome news. However, this decision was taken before COVID-19, and the environment in which we are now operating has changed dramatically, which prompted payments and e-commerce associations from across Europe to request a further delay to the final implementation date.
This was not accepted by the EBA and as the deadline has now passed, SCA should be widely implemented, although some nations, such as France, Germany and Italy have set out their own timeframes for compliance, with gradual enforcement throughout 2021.
The UK has also set out its own timeline for implementation, although since Brexit the UK no longer comes under the remit of the EBA. In light of the covid-19 pandemic, the Financial Conduct Authority (FCA) agreed a managed rollout process to give the payments and e-commerce industry extra time. This was intended to end on March 31. However, in November 2020, the FCA decided to give the industry an additional six months to implement SCA for e-commerce, by a revised date of September 14.
After the new September deadline, any firm that fails to comply with the requirements for SCA will be subject to supervisory and enforcement action by the FCA.
Whilst the initial reaction to decisions delaying enforcement was positive, and it is of course important to recognise the pressures that all businesses are facing during a time of global pandemic, I would urge firms to act promptly, regardless of the extended timescales.
covid-19 has given rise to a host of opportunities for fraudsters, taking advantage of people at their most vulnerable and exploiting the boom in online shopping, with the latest figures from UK Finance revealing a staggering 61pc increase in remote banking fraud to the year ending September 2020.
Our ongoing study tracking the impact of the pandemic on consumers has confirmed this, with the most recent report from December 2020 showing that nearly a third of UK consumers (30pc) have been targets of fraud related to the pandemic, with 7pc of those falling victim to the scams.
In this context, further delays to SCA may serve to harm, rather than protect the consumer and the payments and e-commerce industry must act as quickly as they can when it comes to strengthening security measures. Putting the right tools in place, including SCA, should be a priority as we collectively navigate these challenging and uncertain times.
Read more about SCA in TransUnion’s blog.