9 June 2021
The Financial Conduct Authority (FCA) has extended its Strong Customer Authentication (SCA) deadline by six months. The new deadline is 14 March 2022, which is expected to be the final deadline for full SCA compliance in the UK.
The FCA says the extension is to “ensure minimal disruption to merchants and consumers”, as e-commerce merchants across Europe have faced difficulty implementing multi-factor authentication without impacting revenue and customer experience. E-commerce merchants in France and Spain have experienced an average 25% reduction in conversion rates.
So how can e-commerce merchants, payment providers, and banks implement SCA without damaging the customer experience?
The answer is biometric face authentication. iProov’s face authentication provides the ‘something you are’ factor as a non-intrusive, passive method for authenticating an online individual and preventing fraud. It’s secure, convenient, inclusive and maximizes user privacy. There’s no password to remember, no SMS code to copy over, no card reader or other hardware token to carry around — just a brief facial scan using the user-facing camera on any device.
In simple terms, the change looks something like this:
Scenario 1, without SCA: An online shopper wants to purchase an item. They go to checkout, login or register for an account, and enter their card details. The payment provider authorizes the payment and the purchase is complete. For the consumer, it’s relatively simple. The problem is in the lack of security; anyone could be using that credit or debit card, and online fraud is increasing.
Scenario 2, with SCA: This time the online shopper enters their card details as above, but the purchase is not yet complete. They must also provide another factor to confirm the payment is not fraudulent. Many payment providers and merchants are combining ‘something you know’, such as a password or the phone’s passcode, with ‘something you have’, such as a one-time passcode (OTP) sent to a mobile device. Only after completing the additional authentication is the purchase complete.
From a consumer’s point of view, it’s easy to see why the additional steps involved in Strong Customer Authentication could be inconvenient. Having to remember something or switch device can cause a break in the process and cause an individual to abandon their transaction.
Banks, payment providers, and merchants can use face verification to deliver secure, effortless Strong Customer Authentication.
Let’s return to our Scenario 2 above. Instead of sending an OTP to the customer every time they make a payment, the payment provider or merchant can instead use iProov to authenticate the customer using face verification. The customer is enrolled the first time they go through the process, meaning every subsequent authentication will be entirely passive, requiring little to no effort from the user.
iProov’s highly secure biometric face authentication technology, Genuine Presence Assurance, has been designed to combine security with effortless usability and is ideal for Strong Customer Authentication.
All merchants and payment providers will need to implement multi-factor authentication for remote transactions, with a few exceptions. When completing a remote transaction, the user must provide two or more of the following:
This means that for European consumers, a card number and CVV/CVC code will no longer be enough to make a purchase online.
You can read a more in-depth explanation on SCA from iProov here.