Strong Customer Authentication UK: What Does It Mean for Your Business?

The Financial Conduct Authority (FCA) has extended its Strong Customer Authentication (SCA) deadline by six months. The new deadline is 14 March 2022, which is expected to be the final deadline for full SCA compliance in the UK.

The FCA says the extension is to “ensure minimal disruption to merchants and consumers”, as e-commerce merchants across Europe have faced difficulty implementing multi-factor authentication without impacting revenue and customer experience. E-commerce merchants in France and Spain have experienced an average 25% reduction in conversion rates.

So how can e-commerce merchants, payment providers, and banks implement SCA without damaging the customer experience?

The answer is biometric face authentication. iProov’s face authentication provides the ‘something you are’ factor as a non-intrusive, passive method for authenticating an online individual and preventing fraud. It’s secure, convenient, inclusive and maximizes user privacy. There’s no password to remember, no SMS code to copy over, no card reader or other hardware token to carry around — just a brief facial scan using the user-facing camera on any device.

How is Strong Customer Authentication impacting consumers?

In simple terms, the change looks something like this:

Scenario 1, without SCA: An online shopper wants to purchase an item. They go to checkout, login or register for an account, and enter their card details. The payment provider authorizes the payment and the purchase is complete. For the consumer, it’s relatively simple. The problem is in the lack of security; anyone could be using that credit or debit card, and online fraud is increasing.

Scenario 2, with SCA: This time the online shopper enters their card details as above, but the purchase is not yet complete. They must also provide another factor to confirm the payment is not fraudulent. Many payment providers and merchants are combining ‘something you know’, such as a password or the phone’s passcode, with ‘something you have’, such as a one-time passcode (OTP) sent to a mobile device. Only after completing the additional authentication is the purchase complete.

From a consumer’s point of view, it’s easy to see why the additional steps involved in Strong Customer Authentication could be inconvenient. Having to remember something or switch device can cause a break in the process and cause an individual to abandon their transaction.

How can face biometrics simplify Strong Customer Authentication?

Banks, payment providers, and merchants can use face verification and authentication to deliver secure, effortless Strong Customer Authentication.

Let’s return to our Scenario 2 above. Instead of sending an OTP to the customer every time they make a payment, the payment provider or merchant can instead use iProov to authenticate the customer using face verification. The customer is enrolled the first time they go through the process, meaning every subsequent authentication will be entirely passive, requiring little to no effort from the user.

iProov’s highly secure biometric face authentication technology, Genuine Presence Assurance, has been designed to combine security with effortless usability and is ideal for Strong Customer Authentication.

What are the benefits of iProov face biometrics for Strong Customer Authentication?

• The transaction stays on one device: In Scenario 2, a user making a purchase on a desktop computer or laptop would have to have their mobile phone to hand to receive an OTP and copy the code across to complete the transaction. With iProov, the face authentication takes place on the same device, whether it’s a mobile phone or a computer. This means there’s less disruption for the customer and less chance of them abandoning their basket.
• It provides passive authentication for a simple user experience: This is a huge advantage — the user does not have to type anything, move themselves or their device, or read out words to complete the strong authentication. The user looks at the device, the device looks back, and the authentication is complete.
• It’s secure: The goal of SCA is to eliminate online fraud with greater security for payments. iProov offers the highest levels of security, enabling payment providers and merchants to confirm that an individual is the right person (not an imposter), a real person (not a photograph or mask), and that they are authenticating right now (not a deepfake or other synthetic media used in a digitally injected attack). That’s why the world’s most security-conscious organizations, including the UK Home Office, use iProov’s facial verification technology to deliver a safe yet effortless user experience.
• It’s out of band: iProov’s authentication takes place in the cloud. This means that the authentication is on a different ‘band’, or channel, from the device that the individual is using. In Scenario 2 above, if the user’s device has been compromised then the first factor (a password) and the second factor (an OTP sent to a device) could be accessed by a fraudster. iProov assumes that the device has been compromised and completes the authentication securely and privately in the cloud so it is independent of the device being used. This also means that if a user loses or upgrades their device, they do not have to go through an  identity recovery process.

What is Strong Customer Authentication? SCA Explained

All merchants and payment providers will need to implement multi-factor authentication for remote transactions, with a few exceptions. When completing a remote transaction, the user must provide two or more of the following:

1. Something the user knows, such as a password, PIN, or personal information
2. Something the user possesses, such as a mobile device or card reader
3. Something the user is, such as face verification or other biometric

This means that for European consumers, a card number and CVV/CVC code will no longer be enough to make a purchase online.

You can read a more in-depth explanation on SCA from iProov here.

The Strong Customer Authentication extension/delay: a summary

• The Financial Conduct Authority (FCA) has extended its deadline for the implementation of Strong Customer Authentication (SCA) in the UK to 14 March 2022.
• Merchants must require customers to authenticate themselves using two or more elements of knowledge, possession, or inherence for payments to be SCA-compliant.
• This extra step in the online payment process is impacting revenue and conversion rates in parts of Europe, hence the additional delay in the UK.
• Genuine Presence Assurance provides the most secure, inclusive and effortless way to authenticate customers using the ‘something you are’ factor. 

To see how iProov can help your business deliver Strong Customer Authentication, while offering an effortless user experience and highest level of security, book your demo here or contact us.