Strong Customer Authentication (SCA): The True Cost Might Shock You

835 reads

@ satoshua Joshua Marriage Blockchain exploring privacy pundit in search of surveillance-free satoshis.

This article was co-authored by Joshua Marriage and Matt Collis, co-founders of Pip — a Sydney based startup empowering developers with APIs that optimise how personal information is treated by organisations.

reactions

What is Strong Customer Authentication?

Strong Customer Authentication, or SCA, is a new European regulatory requirement of PSD2 intended to reduce fraud by mandating Ecommerce merchants implement additional authentication for online payments.

reactions

Online shoppers must now complete at least two of three independent authentication methods to avoid their payments being declined, including:

reactions

Something the customer knows (password) Something the customer has (device) Something the customer is (biometrics)

The new rules went live on September 14, 2019, and according to analyst firm 451 Research, in a report commissioned by Stripe, Europe’s online economy stands to lose €57 billion in the first year.

reactions

SCA regulations are scheduled to expand globally and worldwide Ecommerce consumer spending is set to exceed $4.9 trillion by 2021.

reactions

As fraudsters prove time and time again their ability to stranglehold every aspect of our digital selves, it’s clear the true cost of Strong Customer Authentication has been grossly underestimated.

reactions

Is payments fraud really that big of a deal?

According to Juniper Research, annual online payment fraud is expected to reach US $48 billion by 2023, fueled by the compounding problems of data breaches and the resulting theft of personal information.

reactions

In response, Ecommerce will attract US $9.6 billion in annual spending on Fraud Detection and Prevention (FDP) measures from payment service providers and financial institutions.

reactions

As fraud prevention increasingly centers around real-time behavioural biometrics and analysis, merchants and consumers must meander their way through a compendium of competing forces including:

reactions

Speed vs Security

Friction vs Fraud

With mobile now accounting for more than half of Ecommerce spend, there’s growing concern around savvy fraudsters turning their focus to emerging payment trends, such as the 60% of Americans using services like Venmo and Zelle.

reactions

“I know of one bank that was experiencing a 90 percent fraud rate on Zelle transactions, which is insane.”

Bad actors will continue finding ways around regulatory rigour, moving to mobile and hijacking AI-driven customer experiences with automated impersonators that hack your accounts (imposter bots) to blur the lines around consumer expectations of convenience.

reactions

An immediate impact on merchants

As payment service providers scramble to kill the pain of compliance headaches, merchants are faced with lower consumer tolerance for checkout friction.

reactions

Only 47% of today’s European consumers describe checkout processes as ‘very easy’ while around 75% of them have abandoned an online purchase due to a bad checkout experience. Furthermore, over half of online shoppers who abandon their cart end up completing their purchase with another merchant.

reactions

While consumers already expect fast page loads, mobile optimised interfaces and autofilled checkout forms, as few as 27% of online shoppers are even aware of the Strong Customer Authentication requirements.

reactions

Despite SCA likely being Europe’s most impactful disruption to digital merchants yet, a year one loss of €57 billion could pale in comparison to the liability of being responsible for consumer personal information.

reactions

For example, businesses such as hotels, online retailers and social networks were liable for three and a half billion personal identity files stolen during the first half of 2018.

reactions

Leading into 2023, experts are expecting a 22.5% yearly increase.

reactions

Are consumers becoming more liable for fraud?

Credit card payments include merchant fees, a portion of which serve as funding for customer refunds in the event of fraud. But there’s an emerging view that additional authentication requirements will disproportionately shift liability onto the consumer.

reactions

Historically, personal information has been required to validate that the person making a card payment is its rightful owner. Unfortunately this means the accumulation of valuable payloads for hackers has been taken care of for them.

reactions

In a recent study by Shape Security, they found that 80–90% of people logging into Ecommerce websites are in fact hackers (or their armies of bots) using stolen information. The problem continues to worsen as account takeover (ATO) is one of the fastest growing fraud tactics, especially with the increasing tendency of hijacked mobile phone accounts.

reactions

No longer does the threat end with a maxed out credit card, ATOs can even allow the draining of checking, savings and retirement accounts.

reactions

Cyber-criminals find ways to intercept additional layers of authentication and as they do, fraudulent activities become increasingly difficult to detect, as subsequent transactions are trusted and appear legitimate.

reactions

Fraud detection systems are becoming more complex in design and operation, delving deeper into real time monitoring of consumer behaviour. They aim to connect the dots, detect anomalies and identify behaviours that may signal higher risk of fraudulent activities.

reactions

If fraudsters rise to the challenge of Strong Customer Authentication and merchants are no longer effectively funding the refund of fraud, then the system may no longer be able to compensate the victims of sophisticated scams.

reactions

Shouldn’t we be putting the customer first?

The customer experience is already impeded by SCA before the checkout, but the true cost to consumers after the checkout is so often underestimated.

reactions

Despite best efforts to secure and protect personal information, the individual is required to trust in countless third parties to do so.

reactions

Take for instance the additional steps of KYC and the associated ‘Know Your Customer’ requirements, intended for the service provider to be sure they’re aware of who you are. Large scale KYC data breaches have meant that documents as sensitive as driver’s licences have been scooped up by identity thieves.

reactions

Consider the life shattering moment for a hard working mother of two, when her driver’s licence, known as the ‘golden ticket’ to hackers, fell into nefarious hands.

reactions

The magnitude of fraud can be devastating and the perpetual impact never ending, with lines of credit drawn, credit ratings hurt, many hours wasted dodging debt collectors and no easy way of proving you’re a victim.

reactions

“And then they’ll lay low for a while, wait for you to clean it up when you find out what’s gone on, and then they’ll reinvest in that compromised document.”

While payment providers work with merchants to address declining conversion rates, customer authentication complexities, and the prevention of declined payments, the individual is left with very little say in the matter.

reactions

Fraud is the plague of Ecommerce but SCA doesn’t look like the antidote

Generally speaking, consumers lean toward convenience and innovators often see the clearly defined constraints of regulation as an opportunity to innovate.

reactions

Consider Stripe, who have been working on their response to Strong Customer Authentication for two years leading into this latest Payment Services Directive.

reactions

Consumers have limited choices when it comes to SCA, as cards remain the dominant payment method in Ecommerce today. But digging to the roots it’s worth considering what still needs to be addressed regarding personal information.

reactions

We believe there are two fundamental problems:

reactions

Form fatigue as consumers trust less and expect more convenience. Data damages as personal information is increasingly stolen.

While dominant service providers direct resources toward the challenges faced around compliance and conversion, smaller players may have the agility to approach the problem from a completely different angle.

reactions

We’ve coined the term #dKYC, meaning don’t Know Your Customer.

reactions

Some enabling initiatives may include:

reactions

Decentralised finance — Novel solutions set to challenge conventional commerce.

— Novel solutions set to challenge conventional commerce. Emerging web standards — World Wide Web Consortium’s Payment Request API.

— World Wide Web Consortium’s Payment Request API. Privacy technologies — Encryption advancements such as those underway at Veil Labs.

— Encryption advancements such as those underway at Veil Labs. Device level policy — Forward thinking privacy enhancement by the likes of Apple.

Some argue that Strong Customer Authentication in Europe may spark innovation globally as other markets follow suit, let’s hope the long term burden of personal data exploitation isn’t overlooked in favour of short term gain.

reactions

Failing to democratise data may end up being our fundamental flaw, allowing the privacy crisis to get so large it advances beyond our control.

reactions

About the authors

Joshua Marriage and Matt Collis are co-founders of Pip — building APIs to optimise how personal information is treated by organisations.

reactions

Continue the conversation at pip.cash

reactions

Shoutout to ouch.pics for the illustrations.

reactions

Tags