This article was co-authored by Joshua Marriage and Matt Collis, co-founders of Pip — a Sydney based startup empowering developers with APIs that optimise how personal information is treated by organisations.
What is Strong Customer Authentication?
Strong Customer Authentication, or SCA, is a new European regulatory requirement of PSD2 intended to reduce fraud by mandating Ecommerce merchants implement additional authentication for online payments.
Online shoppers must now complete at least two of three independent authentication methods to avoid their payments being declined, including:
- Something the customer knows (password)
- Something the customer has (device)
- Something the customer is (biometrics)
The new rules went live on September 14, 2019, and according to analyst firm 451 Research, in a report commissioned by Stripe, Europe’s online economy stands to lose €57 billion in the first year.
SCA regulations are scheduled to expand globally and worldwide Ecommerce consumer spending is set to exceed $4.9 trillion by 2021.
As fraudsters prove time and time again their ability to stranglehold every aspect of our digital selves, it’s clear the true cost of Strong Customer Authentication has been grossly underestimated.
Is payments fraud really that big of a deal?
According to Juniper Research, annual online payment fraud is expected to reach US $48 billion by 2023, fueled by the compounding problems of data breaches and the resulting theft of personal information.
In response, Ecommerce will attract US $9.6 billion in annual spending on Fraud Detection and Prevention (FDP) measures from payment service providers and financial institutions.
As fraud prevention increasingly centers around real-time behavioural biometrics and analysis, merchants and consumers must meander their way through a compendium of competing forces including:
- Speed vs Security
- Friction vs Fraud
With mobile now accounting for more than half of Ecommerce spend, there’s growing concern around savvy fraudsters turning their focus to emerging payment trends, such as the 60% of Americans using services like Venmo and Zelle.
“I know of one bank that was experiencing a 90 percent fraud rate on Zelle transactions, which is insane.”
Bad actors will continue finding ways around regulatory rigour, moving to mobile and hijacking AI-driven customer experiences with automated impersonators that hack your accounts (imposter bots) to blur the lines around consumer expectations of convenience.
An immediate impact on merchants
As payment service providers scramble to kill the pain of compliance headaches, merchants are faced with lower consumer tolerance for checkout friction.
Only 47% of today’s European consumers describe checkout processes as ‘very easy’ while around 75% of them have abandoned an online purchase due to a bad checkout experience. Furthermore, over half of online shoppers who abandon their cart end up completing their purchase with another merchant.
While consumers already expect fast page loads, mobile optimised interfaces and autofilled checkout forms, as few as 27% of online shoppers are even aware of the Strong Customer Authentication requirements.
Despite SCA likely being Europe’s most impactful disruption to digital merchants yet, a year one loss of €57 billion could pale in comparison to the liability of being responsible for consumer personal information.
For example, businesses such as hotels, online retailers and social networks were liable for three and a half billion personal identity files stolen during the first half of 2018.
Leading into 2023, experts are expecting a 22.5% yearly increase.
Are consumers becoming more liable for fraud?
Credit card payments include merchant fees, a portion of which serve as funding for customer refunds in the event of fraud. But there’s an emerging view that additional authentication requirements will disproportionately shift liability onto the consumer.
Historically, personal information has been required to validate that the person making a card payment is its rightful owner. Unfortunately this means the accumulation of valuable payloads for hackers has been taken care of for them.
In a recent study by Shape Security, they found that 80–90% of people logging into Ecommerce websites are in fact hackers (or their armies of bots) using stolen information. The problem continues to worsen as account takeover (ATO) is one of the fastest growing fraud tactics, especially with the increasing tendency of hijacked mobile phone accounts.
No longer does the threat end with a maxed out credit card, ATOs can even allow the draining of checking, savings and retirement accounts.
Cyber-criminals find ways to intercept additional layers of authentication and as they do, fraudulent activities become increasingly difficult to detect, as subsequent transactions are trusted and appear legitimate.
Fraud detection systems are becoming more complex in design and operation, delving deeper into real time monitoring of consumer behaviour. They aim to connect the dots, detect anomalies and identify behaviours that may signal higher risk of fraudulent activities.
If fraudsters rise to the challenge of Strong Customer Authentication and merchants are no longer effectively funding the refund of fraud, then the system may no longer be able to compensate the victims of sophisticated scams.
Shouldn’t we be putting the customer first?
The customer experience is already impeded by SCA before the checkout, but the true cost to consumers after the checkout is so often underestimated.
Despite best efforts to secure and protect personal information, the individual is required to trust in countless third parties to do so.
Take for instance the additional steps of KYC and the associated ‘Know Your Customer’ requirements, intended for the service provider to be sure they’re aware of who you are. Large scale KYC data breaches have meant that documents as sensitive as driver’s licences have been scooped up by identity thieves.
Consider the life shattering moment for a hard working mother of two, when her driver’s licence, known as the ‘golden ticket’ to hackers, fell into nefarious hands.
The magnitude of fraud can be devastating and the perpetual impact never ending, with lines of credit drawn, credit ratings hurt, many hours wasted dodging debt collectors and no easy way of proving you’re a victim.
“And then they’ll lay low for a while, wait for you to clean it up when you find out what’s gone on, and then they’ll reinvest in that compromised document.”
While payment providers work with merchants to address declining conversion rates, customer authentication complexities, and the prevention of declined payments, the individual is left with very little say in the matter.
Fraud is the plague of Ecommerce but SCA doesn’t look like the antidote
Generally speaking, consumers lean toward convenience and innovators often see the clearly defined constraints of regulation as an opportunity to innovate.
Consider Stripe, who have been working on their response to Strong Customer Authentication for two years leading into this latest Payment Services Directive.
Consumers have limited choices when it comes to SCA, as cards remain the dominant payment method in Ecommerce today. But digging to the roots it’s worth considering what still needs to be addressed regarding personal information.
We believe there are two fundamental problems:
- Form fatigue as consumers trust less and expect more convenience.
- Data damages as personal information is increasingly stolen.
While dominant service providers direct resources toward the challenges faced around compliance and conversion, smaller players may have the agility to approach the problem from a completely different angle.
We’ve coined the term #dKYC, meaning don’t Know Your Customer.
Some enabling initiatives may include:
- Decentralised finance — Novel solutions set to challenge conventional commerce.
- Emerging web standards — World Wide Web Consortium’s Payment Request API.
- Privacy technologies — Encryption advancements such as those underway at Veil Labs.
- Device level policy — Forward thinking privacy enhancement by the likes of Apple.
Some argue that Strong Customer Authentication in Europe may spark innovation globally as other markets follow suit, let’s hope the long term burden of personal data exploitation isn’t overlooked in favour of short term gain.
Failing to democratise data may end up being our fundamental flaw, allowing the privacy crisis to get so large it advances beyond our control.
About the authors
Joshua Marriage and Matt Collis are co-founders of Pip — building APIs to optimise how personal information is treated by organisations.
Continue the conversation at pip.cash
Shoutout to ouch.pics for the illustrations.