The introduction of more security for the user in the PSD2 standard, through the 3DS2 protocol of SCA authentication, requires an effective implementation in order to avoid the abandonment of digital shopping due to distrust in an otherwise reliable system. In Spain, economic losses are estimated at tens of billions of euros, more than a third of purchases.
APIs such as Payments PSD2, from BBVA API_Market, help to design a reliable, fast and seamless environment between systems that builds trust and eliminates friction, so that the user does not abandon the purchase. These payment gateways also allow you to check the status of your payment immediately.
What is SCA and why is it mandatory?
SCA is a measure included in the Second Payment Services Directive (PSD2) that aims to reduce fraud and enhance the security of online payments. This stands for Strong Client Authentication.
This measure requires electronic payments to be made with multifactor authentication. This type of authentication will be mandatory when accessing online payments, making electronic payment transactions or carrying out actions through channels that may involve fraud or other abuses.
The reason is obvious: an important part of PSD2 is aimed at improving user security, especially those who do not have sufficient knowledge to assess the reliability of a system. In other words, creating a reliable default payment system in which insecurity is removed from the equation.
What are SCA measures?
According to PSD2, SCA measures require authentication based on the use of two or more elements categorized as:
- knowledge something only the user knows, such as a password or the answer to a security question plus the security question;
- possession, something the user possesses, such as a coordinate card, a cell phone or access to another confirmation system;
- inherence, something the user is, such as a biometric fingerprint or facial recognition.
The system is designed in such a way that a breach of one, e.g., theft of a cell phone or hacking a password, does not compromise the reliability of the others, or of access to the system. Someone would have to take control of several of these keys at once in order to operate on our behalf, which becomes unlikely with SCA.
Spain lags behind in SCA implementation
According to the report ‘SCA Economic Impact Assessment’ (January 2021) by the independent consultancy Cmspi, which works mainly on the payments market and the implementation of security improvements, Spain is at the bottom of the European markets analyzed in terms of successfully implementing SCAs. What is going wrong?
A significant number of banked services have not implemented SCAs and, when they have, the customer experience is often poor. One of the biggest technical problems seems to be the culprit: the 3DS2 protocol and the problems in implementing it.
After an extension, from 1 January 2021, banks issuing payment cards in Spain were obliged to implement SCA strong authentication systems under the 3D-Secure 2 (3DS2) authentication protocol. The protocol is a security improvement over 3DS1, and also eliminates friction at the time of payment. Unfortunately, its deployment is proving difficult.
Several related studies, one by Amazon, one by Microsoft, and a third by Unnax, highlight that despite the extension on SCA implementation given to the payments industry, up to 59% of transactions could fail for various reasons. That is to say, they would not be completed, which means a volume of 20.2 billion euros in lost sales by 2021.
CMSPI puts this amount at 12.33 billion euros in 2020, due to both technical problems of issuers and user education. It is essential that they understand the rationale for the protocols – without needing to know the protocol itself. As well as being in place, protocols need to inspire trust, and so far, they do not seem to do so.
Slowness and mistrust are two major barriers of SCA
Spain appears to have the second highest failure rate of all European markets analyzed by CMSPI, second only to Italy in percentage of card transactions that are at risk of not going through.
The failure rate is around 36% (the top 3 is completed by Italy, 38%; and Germany, 33%), and the lack of card issuer readiness and the problems of the gateways in integrating with the stores are highlighted. From the user’s point of view, abandonment rates are mainly due to two factors:
- Slowness of the secure payment system. When users use a bank-based service to make a payment, they expect the payment to take a short time to load or to be completed. However, some payment gateways use technology that is too slow or forms that slow down the process. In a world in which we want everything now, this entails significant economic losses due to impatience.
- Distrust in the system. At the same time, it is common for payment channels to prompt the user to open pop-up windows, or to load visually dissonant environments with different esthetics between the shopping site/app and the SCA securitization mechanism. This raises doubts among users, who question whether their data will be secure.
These doubts are legitimate and welcome in a digital environment where caution is warranted, and scams are still rife. The customer’s digital education to detect scams is as digital as digital education to detect secure gateways.
The result in both cases is usually abandonment of the purchase on 25% of the occasions as the European average. Tens of billions a year in unrealized purchases.
APIs such as Payments PSD2, which integrate the payment process within the checkout process, are smart solutions for gaining user trust. This and the other APIs are featured on BBVA API_Market, an innovation environment that aims to enable companies to take advantage of technology in the banking environment.