Strong Customer Authentication (SCA) arrived on the 14 September 2019 as part of the second Payment Services Directive (PSD2) and you may have seen it starting to impact your contactless payments.
Unfortunately, not everyone was ready to comply with the requirements of the Article 11 exemption (Contactless Payments at Point of Sale) in the Regulatory Technical Standards on Strong Customer Authentication and Common & Secure Communication (SCA-RTS).
In light of this, the FCA has stated that it understands that there may be a period of adjustment to ensure minimal disruption, but has urged the industry to comply as quickly as possible, and certainly by no later than 14 March 2020 for contactless payments.
For more information the FCA latest guidance can be found at: Strong Customer Authentication – Contactless Payments at Point of Sale (Article 11)
“After 14 March 2020, failure to comply with the requirements for SCA in contactless transactions will be subject to full FCA supervisory and enforcement action as appropriate”.
Financial Conduct Authority
Now is the time to act and not kick the can down the road as the deadline is rapidly approaching:
days
hours minutes seconds
until
Compliance Date
Time for a recap?
Article 11 exemption (Contactless Payments at Point of Sale) in the Regulatory Technical Standards on Strong Customer Authentication and Common & Secure Communication (SCA-RTS) is a very complex subject so perhaps a recap on my blog (partially updated) of the 15 September would be helpful.
First things first
This blog post is not: an in-depth analysis of the minutiae of SCA and PSD2 – there are many others who can provide a much better explanation and analysis of these two things.
This blog post is (or at least tries to be): a simple explanation of some payment disruption that we all will probably experience in shops in the coming days when you try and make a contactless payment.
For clarity, let me repeat that last point.
The rest of this blog looks at the impact on contactless payments from the perspective of a consumer.
What is changing?
On the 14th September new requirements were introduced in Europe (forget Brexit – this includes the UK) for authenticating on-line payments.
It’s called Strong Customer Authentication (SCA) and is part of the second Payment Services Directive (PSD2).
What is Strong Customer Authentication (SCA)?
SCA is a regulatory requirement that is seeking to make online payments more secure and reduce fraud.
This means that places you buy things from have to authenticate you with at least two of the following three items:
– Something you know (eg password or pin)
– Something you have (eg phone or token)
– Something you are (eg finger print or facial recognition).
What is happening?
Over the coming weeks your bank will have to start declining payments that require SCA and don’t meet the criteria listed above.
Banks haven’t started this straight away or are they introducing it at the same time but you will soon see changes to the way you make a whole host of payments.
Different payment types are in and out of scope – remember this is a simple explanation of what will happen when you make contactless payments.
Some of your contactless payments will be declined – even if you have money in your bank account
Payments treated as contactless in the UK (i.e. below £30) are treated as ‘low value’ and exempted from SCA.
However, unfortunately, the exemption is limited.
When you have used a contactless payment option a certain number of times and / or when the sum total of payments exceeds a certain amount your card issuer will need to request that you authorise the payment. Your bank will decide the exact ‘trigger’ point.
This authorisation may be ‘triggered’ by your contactless payment being declined and the payment will have to be authorised by inserting your card in the machine and entering your PIN.
This will authorise the payment and enable you to make contactless payments against (until you next trigger the authorisation thresholds).
The machine may not instruct you to insert your card in the machine and the shop assistant may not know that the decline message on the terminal is the trigger for you to make the payment via the more traditional CHIP & PIN method.
Don’t be embarrassed when this happens to you – but you may need to explain what is happening to the shop assistant!
Exceptions to the rule
As you would expect there are some exceptions, this is a simple explanation so just two examples to illustrate:
– unattended payment machines like public transport barriers will still work even if you have breached the authentication threshold.
And
– Contactless payments made by digital wallets such as ApplePay are unaffected.
One last thing
This blog only seeks to provide a simple explanation on the impact of Strong Customer Authentication (SCA) on contactless payments.
Remember: If your contactless payment is declined then insert your card in the machine and use your PIN – then you can revert back to contactless payments.
….Or use a digital wallet like ApplePay to avoid this payment friction
In providing a simple explanation the expert will respond by stating that ‘I think it is a lot more complicated than that’.
Of course it is, but hopeful this simple explanation for contactless payments will be a first step in getting to grips with SCA!
Don’t forget that there are many other online payment types that are being impacted (disrupted) the impact of SCA .
A final point – don’t forget this initiative is trying to compact payment fraud, which is a good thing (right)!