The European Banking Authority has agreed to allow limited exemptions to ‘strong customer authentication’ (SCA) requirements in its new retail payments standards directive.
Businesses had lobbied against clunky two factor authentication requirements that could have marked the end of very simple payment experiences such as Uber and Amazon One Click.
The new standards, published on Thursday, allow an SCA waiver for online transactions of up to €30. They also allow for “transaction risk analysis” to be used instead of SCA for even higher values where a payment service provider (PSP), merchant and bank can agree among themselves on appropriate authorisation methods that minimize fraud.
The exemption based on transaction risk is subject to review after 18 months of the rules applying, and only applies to remote transactions below a specific threshold ranging between €100 and €500, depending on the merchant’s fraud rate. Any liabilities under this waiver (like fraud) are likely to become the responsibility of retailers or PSPs, not banks.
FinTechs will also be permitted by the rules to access interfaces developed by banks in the same way that clients do, in a bid to avoid the firms being shut out of access to client data.
Payments expert Lu Zurawski told Retail Risk News that the transaction risk based exemption “is not a bad trade-off for many retailers who place a high value on ‘conversion’ and ‘low friction’ check-out processes”.
“It’s not yet clear what retailers, PSPs and banks are going to be allowed to arrange,” said Zurawski, Consumer Payments Solutions Practice Lead at electronic payment systems and banking solution provider ACI Worldwide.
“But what is likely, are arrangements that allow them to decide when they have enough information about a transaction, if for example, they have dealt with the customer before.”
“Customers as well as retailers should benefit from the revised directive because it encourages competition in payment services and, with the exemptions, friction free check out experiences should be possible.
“Possible losers from the directive will be retailers or PSPs who take on liabilities without having guarded against the risks.”
Despite one of its aims being to protect consumers the directive might introduce additional risks by making payments more complicated, Zurawski suggested, perhaps giving online fraudsters more leeway to intrude on transactions.
“There’s so much going on in the world of online payments that we may be reaching a ‘Green Cross Code’ moment, in other words, there is scope for meaningful education for consumers and retailers on the changing payments landscape and what is required to protect people’s digital data,” he said.