Europe’s consumers have been promised for some years now that strong customer authentication (SCA) was on its way. And the rules as to when this should be applied in e-commerce are being tightened. The aim is to better protect the customers of e-commerce services.  

This sounds like a good development for us all, since we are all regular customers of online merchants or providers of online services. And if you look at the details of SCA, this impression is further enhanced. Logins with only username and password are theoretically a thing of the past, the risk of possible fraud on the basis of compromised credentials is potentially considerably reduced.

The Payment Services Directive (PSD II) requires multi-factor authentication (MFA) as the implementation of SCA for all payments over €10. MFA stands for Multi Factor Authentication, i.e. all approaches involving more than one factor. The most common variant is Two Factor Authentication (2FA), i.e. the use of two factors. There are three classes of factors: Knowledge, Possession and Biometrics – or “what you know”, “what you have”, “what you are”. For each factor, there might be various “means”, e.g. username and password for knowledge, a hard token or a phone for possession, fingerprint or iris for biometrics.  

The use of this results in improved protection for virtually all parties involved: E-commerce site, payment processors and customers can be more confident that transactions are legitimate and trustworthy.

A short look at the history: On November 16, 2015, the Council of the European Union passed the PSD2 and gave Member States two years to transpose the Directive into their national laws and regulations. It should be expected that the broad and comprehensive implementation of SCA as part of the PSD2 will be achieved in a timely manner, as the benefits are obvious. Of course, purchasing processes become a little more complex, because card data and account number or username and password for payment services are no longer enough for checkout. A second, different feature such as a fingerprint or an SMS to your own registered smartphone becomes necessary to increase security.  

But shouldn’t we value this significantly increased security and the trust that goes with it? On the contrary, retailers, for example in Germany, are far from positive about stricter security standards. Every change and especially increase in complexity of the purchasing process is regarded as an obstacle, a potential point for dropping out of the customer journey.

And yet the development now emerging was not unexpected. As early as July 2019, the European Banking Authority (EBA) stated that some players were not sufficiently prepared for the PSD2, SCA and thus the required protection of consumers.  

As a measure, the member states were offered an extension of the deadline. First and foremost, this was used extensively by the UK, but also by some other countries. In Germany, the new regulations for payments without cash will enter into force on 14 September 2019, almost four years after the European Directive PSD2 was approved. This means that only payment services that implement SCA and are therefore PSD2 compliant can be used for online purchases using credit cards.  

And, you guessed it, just recently BaFin (Germany’s financial watchdog) announced in a press release that “As a temporary measure, payment service providers domiciled in Germany will still be allowed to execute credit card payments online without strong customer authentication after 14 September 2019”.  

This does not only mean an immense delay of unclear duration; the otherwise rather homogeneous European market is now being chopped up into a multitude of different regulations and exceptions. The direct opposite of what was planned has been achieved, since it is unclear when and where which requirements will apply, in the European Union and in a global Internet. The obvious losers are the customers and online security and trust in reliable online purchases, at least for the short to mid-term.

Forward-looking organizations who value their customers and their security and trust are now able to implement security through SCA, even without BaFin checks. Those companies that benefit from a short delay to meet PSD2 requirements soon should quickly seize this opportunity and join the latter group. But those companies that, since the release of PSD2 and its requirements, have preferred to complain about more complex payment processes and lament EU regulations should reconsider their relationship to security and customer satisfaction (and thus to their customers). And they should rapidly start on a straight path to comprehensive PSD2 compliance. Because temporary measures and extended deadlines are exactly that, they are temporary, and they are deadlines.

To meet them successfully and in time, KuppingerCole Analysts can support organizations by providing expertise through our research in the areas of PSD2, SCA and MFA. And our Advisory Services are here to support you in identifying and working towards your individual requirements while maintaining user experience, meeting business requirements and achieving compliance. And our upcoming Digital Finance World event in Frankfurt next week is the place to be to learn from experts and exchange your thoughts with peers.

See also