As the volume of digital transactions continues to increase exponentially, the new strong customer authentication (SCA) rules are – in principle – a step in the right direction.
The regulation acknowledges the need to bolster cybersecurity measures within a broadening threat landscape, holding user safety as paramount.
But, like all good things in theory, there are often some unintended practical consequences.
The new SCA regulation changes the way that customers confirm their identity when making purchases online. They will have to go through an extra layer of authentication to prove who they are directly to their card-issuing bank – rather than the place they are shopping with.
This means proving two out of three things:
Users will likely have seen these come into effect already, where device-based verification is needed via text message or mobile banking app.
The implementation of this multifactor authentication requires businesses and payment service providers to work with tech suppliers to create a smooth, secure process for users.
Of course, if the new protocol works as intended, then the framework it creates will benefit everyone: customers, banks and retailers.
The challenge with the new rules is that they are open to broad interpretation, without being backed by auditable standards. Where the new regulations are implemented well, the difference won’t be particularly noticeable.
But for those companies that aren’t prepared for the changes, it may result in lost business.
However, the early implementation of a new payment protocol is often not particularly seamless and user-experience issues often lead to shoppers dropping off – leaving retailers with lost revenue as a result.
So, if businesses don’t administer SCA properly, we will start to see payments declined, discarded impulse buys when the process takes too long or customers seeking a different route of purchase.
Ironically, given that the banks have just tried to expedite the adoption of ‘off card’ online payments, the SCA requirements make it easier to stick with card-based payments, as the security expectations are easier to work with and the ecosystem has a tried-and-tested response.
For those transactions where a card is not present, SCA will only protect against fraud in certain circumstances. Unfortunately, the same sort of attacks occur that we see with other online banking payments, and the rules won’t help someone who has already been compromised.
In some cases, a home user’s computer might have malware on it that captures all the card information as well as the secondary authentication approval, before diverting the payment to a rogue site.
All too often we see instances of these fraudulent sites that appear to operate as legitimate businesses, carefully similar to those they are imitating, that will ship the customer an empty box or counterfeit in the place of the item that they thought they’d purchased.
In these instances, they tend to operate their payments out of country and then close down and reopen quickly upon discovery.
The SCA regulation is not a catch all – it tightens up some areas of payment, but does nothing to protect against some of the most commonly used approaches to financial fraud.
It’s a step in the right direction, but more needs to be done to tackle payment fraud at the source.
Andy Barratt is UK MD of global cybersecurity consultancy Coalfire
This article was taken from Issue 2, 2022 of The Treasurer magazine. For more great insights, log in to view the full issue or sign up for eAffiliate membership
