The FCA have just confirmed that they are going to delay the enforcement of rules on "strong customer authentication" - i.e. two-factor authentication for most payments, whether online or in person - from 14 September until March 2021. On the face of it this sounds like an issue for banks and financial folk to be dealing with in the background, but it has a really significant effect on retailers of all kinds as well - as is described in detail in this excellent report from the EPA.
Key points for retailers to note:
1. When SCA is in force, unless an exemption applies customers will have to authenticate every payment with two of the three factors of something you have (e.g. a mobile), something you know (e.g. a password) and something you are (e.g. a fingerprint).
2. This is likely to have a big effect on retailer revenue: research from Amazon estimated that each additional click in the purchasing experience increases basket abandonment by 15%.
3. Implementing sophisticated technology is likely to be the only real way of preserving customer experience - and therefore revenues - by allowing retailers and customers' banks to use SCA exemptions, or to authenticate seamlessly. Without this, banks / issuers will take the safe path and just decline more payments.
4. But implementing and testing that technology takes time, arguably at least a year; and while large merchants are mostly aware of SCA, most small and medium retailers are not, and pretty much everyone is unprepared for the original 14 September deadline.
5. The main form of tech needed to make this work "well" (3DS v2.2) is likely to be available only from early 2020 and will then need time to bed in before enforcement happens. So retailers need to move quickly.
6. There is a useful table of recommendations for merchants and acquirers, in section 9 of the report.
The FCA's intervention on the timescale is welcome indeed, but planning and action by retailers is needed - if not right now then very soon - to make sure that the new deadline doesn't creep up and get in the way of business.
“We expect 30-50% of ecommerce transactions to require step up authentication and 25-30% to be declined"