The Retailer Spring_09.05_FA


NEWS FROM THE BRC Readiness for Strong Customer Authentication

Andrew Cregan Head of Payment Policy British Retail Consortium

Without a smooth and successful implementation by the industry, there is significant risk that Strong Customer Authentication (SCA) will lead to disruption and an adverse impact on consumer confidence in retail payments. Many businesses lack awareness of the changes that SCAwill bring to payment processes, and the absence of a UK-wide consumer communications plan, such as the one that supported the roll-out of chip-and-pin in 2006, is cause for concern. So far, merchants have been advised to discuss SCA readiness with their acquirers and bank equipment manufacturers and to have a version of 3D Secure in place for online transactions, but further, more detailed communication, is lacking. Any communications plan has been stalled by a lack of clarity and consistency emanating fromUK payment systemproviders on the technical infrastructural upgrades required, the application of SCA exemptions for certain transactions, and the detail of how important solutions like 3D Secure will be employed. Merchants have worked in partnership with UK Finance, card schemes, and other payment service providers to resolve the many outstanding issues; however, progress has been slow. The approaching cliff edge Most online purchases in the UK are made by credit or debit cards. Following the 14th September deadline, it is unlikely that a business will be able to receive payment for good or services by card without a version of 3D Secure (i.e. Verified by Visa, Mastercard SecureCode, AmEx Safekey). And, since it’s not an overnight solution, merchants will need to plan and prepare well ahead of the September deadline to continue operating. All online trading businesses must understand that they are likely to need 3D Secure, and all businesses and consumers need to know how to use it. However, public information remains limited on 3D Secure, how it works, and what to do if or when it doesn’t work. For example, what information will customers receive to complete a payment with 3D Secure? Howwill it be delivered?What is the risk of it being intercepted and what steps can be taken to prevent it?What are the functions and requirements of each version of 3D Secure across important factors like speed, conversion, or exemptions? Can customers choose what information they receive and how they receive it? Are there defaults in place for when things go wrong (for example, technical or accessibility issues)?What options are open to businesses in the case of system failures depending on where those system failures lie? Similarly, what protocols are in place to ensure operational resilience? Are any of these being applied consistently by payment system providers? Howwill all this be communicated to businesses and consumers?

Exemptions Exemptions could apply to certain types of transactions, removing the need for SCA. However, further clarification is required today on how each of these will be applied: • Transaction Risk Analysis (TRA) involves a series of behind the scenes measures to check that customers are who they say they are, measures that could replace SCA in some situations. Whilst several payment service providers have given advice, it is card issuers that ultimately decide to ‘step-up’ a transaction for SCA, and it has been very unclear whether this will be applied consistently across payment service providers; • ‘Whitelisting’ is a tool that customers could use to register merchants as trusted beneficiaries, but it is very unclear how this process will work and whether this will be applied consistently across payment service providers. In any case, it has been suggested that this exemption can only be applied whereby businesses have a specific version of 3D Secure; • Merchant Initiated Transactions (MITs) are not subject to SCA after the first transaction, yet it has been very unclear as to what constitutes anMIT and whether this will be applied consistently across payment service providers. Case Study – an online grocery model: Customers can add and take away from their baskets as little or often as they like until 11 am the night before delivery – the retailer will never know the last time changes are made; thus, under dynamic linking rules, the retailer would have to SCA authorise every time a change is made. This would be highly onerous itself but, with variable weight items being picked for deliveries at 4 am, the practice is unable to continue in any case. A percentage tolerance is a proposed solution but not universally accepted. Face-to-face transactions The impact on face-to-face transactions is limited because contactless transactions (max. GBP 30) fall below the threshold to which SCA applies, whilst chip-and-pin and Higher Value Payments with a phone or wearable device are already SCA compliant; however, some older Pin Entry Devices (PEDs) may be affected. Merchants are yet to receive clear information from their acquirers or terminal providers on what changes they will be required tomake to payment terminals, and what changes they may choose tomake.


36 | spring 2019 | the retailer

Made with FlippingBook - Online catalogs