What to remember when implementing SCA.Fred O'Connor | January 23, 2020
As businesses work to implement PSD2’s strong customer authentication (SCA) component by late 2020 (or even earlier for some U.K. firms that offer online banking) there’s a key group to keep in mind: customers. With banks, payment providers and merchants all trying to figure out how to comply with SCA, their focus may be more on meeting the requirement and less on what two-factor authentication method provides customers with a superior online checkout experience. (Looking for an SCA primer? Read this blog.)
But forgetting about the customer can impact the bottom line, warned Alaistair Anderson, a banking industry consultant who’s previously held executive roles at HSBC and Nordea. Customers vote with their wallets and may take their business elsewhere if completing online purchases under SCA proves too burdensome.
“If you negatively impact user experience and authentication, you can expect your customers to find another vendor,” he said.
He noted that people have many options around what merchants to buy from and banks and credit cards to use. If any of them fail to implement SCA in a customer-friendly way, people will switch to one that provides a more positive experience.
“I would describe people as Teflon because they just don’t stick,” Anderson said. “They are so transient with services. If they find a service that works for them with a minimum amount of friction, or they don’t even know that it’s happening, that vendor has a customer for life.”
Implementing SCA has proved challenging for organizations, resulting in European regulators extending the regulation’s deadline to Dec. 31, 2020 from Sept. 14, 2019. Retailers were especially concerned since botching SCA could impact the checkout process and cause cart abandonment. A study from Deloitte found that maintaining a positive user experience when applying SCA was the top concern among businesses, including retailers.
Organizations should prepare for more confusion as European countries deal with the various government, regulation, cultural and language nuances around SCA in the coming months. The good news: more organizations are planning to implement SCA and treating Dec. 31 as a firm deadline.
How to implement SCA in a customer-friendly way
Getting two-factor authentication right is crucial for ensuring that SCA doesn’t disrupt the checkout process, Anderson said. That means selecting the right combination of elements for two-factor authentication. Those elements are:
- knowledge (something only the person knows, like a password)
- possession (something only the person has, like a smartphone)
- inherence (something that the person is, like a biometric)
People have grown accustomed to Amazon’s one-click ordering and expect that any online purchasing experience be as effortless. Choosing certain authentication elements could impede the checkout process, Anderson said in a webinar on how organizations can best comply with the mandate.
“The old world of keycards and tokens and PIN numbers and passwords and different pieces of plastic does not match the expectations of most consumers. They’re looking for something that is completely immersed within the e-commerce experiences they have. Today, that is more often than not a mobile. You should bear this in mind when you look at your implementation of SCA,” he said.
Using biometrics and smartphones to provide SCA and a seamless checkout experience
One way to meet the SCA mandate while providing a smooth checkout experience is to have people use their biometrics and smartphone for passwordless authentication. This approach doesn’t involve remembering passwords or searching emails and text messages for one-time passwords. The requirement for two-factor authentication is met by using something customers have (their smartphone) with something they are (their fingerprints).
“People are looking for an experience that can be realized through one hand. If you have a mobile device, you don’t even need to type with two fingers. You can use just one. You should aim to take care of two-factor authentication with one device,” Anderson said.