Deep Dive: Retailers Face Mobile Authentication Challenges Under SCA

eCommerce moves to comply with SCA rules

SCA may have arrived on the payments scene, but questions remain regarding its exact authentication requirements. The overarching rule is simple enough: Consumers who make purchases online or use contactless payments in stores must be authenticated with 2FA. Merchants and payment providers are already coming upon challenges when actually applying such measures, however, especially on mobile devices.

Many in the payments industry are turning to SMS and other forms of mobile notifications for authentication under SCA. Typical use could look like a customer making an online purchase and then being asked to enter a secure code that was texted to his or her mobile phone. Relying on mobile phones for authentication in this manner easily satisfies two out of SCA’s three requirements for enhanced verification: something that customers have and something they know. The third category, inherence, relies on something that is part of the customer, such as a fingerprint or other biometric identifier.

Truly making that experience as quick and convenient as it needs to be is trickier than it sounds for several reasons, such as the sparsity of mobile phone networks in certain countries, changing online shopping preferences and mobile-related security weaknesses.

Some of these challenges are out of payment providers’ and merchants’ hands, as they cannot impact phone networks within their countries, for example. These entities are responsible for ensuring that consumers are authenticated properly under SCA, however, which means many are looking for solutions to resolve mobile authentication issues.

Smartphones’ physical hardware security flaws have become an area of great interest now that SCA is in effect, and the ways that online and contactless payments are currently authenticated is also coming under more scrutiny. Merchants and payment providers must also be wary of mobile fraud schemes such as SMS malware and other weaknesses, while still keeping authentication processes as seamless as possible.

Mobile verification challenges and benefits

All online transactions over €30 ($33 USD) are subject to SCA, which means customers and merchants alike will be spending a lot more time authenticating purchases. Using a smartphone to simplify part of what will become a routine experience means customers can use familiar devices that pre-fill the SCA authentication category of possession. Mobile phones are almost always with their owners and also represent an increasingly popular method for shopping, enabling convenient authentication for simple purchases.

Mobile authentication provides necessary convenience to the process, but there are still kinks to work out. Germany has already found that SMS messages are not secure enough for customer verification under SCA, and multiple German banks have already dropped SMS-based one-time passcodes for this purpose. The move was partially due to SCA but was also enacted in response to the rise of SIM swapping, an SMS fraud technique in which bad actors trick telecommunication providers into linking existing phone numbers to new SIM cards.

Banks in other countries have also moved on from SMS messages, relying instead on applications to better communicate with customers. U.K. challenger bank Monzo will now send in-app notifications to customers should their contactless payments be declined. Even this is not a catch-all solution for FIs that want to bring mobile phones into the authentication process, however, as not every consumer uses financial banking apps. Approximately 30 percent of an unnamed U.K. bank’s customers are not mobile customers, according to one recent study, firmly removing the possibility of authenticating purchases through such applications.

Other payment providers and FIs are examining different customer identification methods to fit SCA standards. Fingerprint and facial scans are becoming more attractive, especially as many mobile phones are being equipped with biometric capabilities. Touch ID, for instance, can help authenticate online purchases, simplifying processes even more for merchants and customers alike.

Biometrics are not yet widely applied in this area, however, and customers are still deciding which methods they prefer. Merchants will have to keep such preferences in mind as they revamp mobile and online authentication to remain compliant with SCA.

SCA standards and the future of authentication

The banks, payment providers and merchants that need to authenticate their customers under SCA may have a bit more time than they thought to come up with tailored identification solutions for online and contactless payments, though. Many countries, including Denmark, Finland, France and the U.K., have approved temporary extension periods so merchants can become better versed in SCA and the changes it is creating.

It still seems likely that mobile phones will play a greater role in eCommerce and contactless payments now that SCA is live. Consumers’ familiarity with mobile shopping and payments certainly makes such devices natural choices for many merchants that need to implement 2FA. The EU’s eCommerce industry must continue to confront mobile authentication challenges as SCA becomes further entrenched in the payments world.