FCA Extends PSD2 Strong Customer Authentication Deadline, Putting Consumers at Risk

As part of the revised Payment Service Directive (PSD2) published in 2018, Strong Customer Authentication (SCA) was incorporated to make online payments more secure. The rules, which were set to be applied on September 14th, mean consumers will have to approve online payments through a second level of authorisation, if the cardholder’s bank and the business accepting the transaction are located in the European Economic Area. In other terms, when consumers make an online payment of over £28, extra levels of authentication will be required at the time of the transaction. Shoppers will have to provide two of the following: something they know, like a password, who they are, through biometrics such as fingerprint or facial scan, or receive a code through their mobile device.

What does SCA mean for consumers?

According to a survey by Avira, 30% of consumers worry whilst shopping online, and 22% only use well-known e-commerce sites in fear of being a target of bad actors. That added layer of security on online payments will enable these consumers to feel more confident when processing payments over £28 online, as the authentication checks i.e. biometrics such as fingerprint or facial recognition are far more secure. Indeed, consumers will benefit in a variety of ways from the enforcement of SCA: purchasing processes will become easier, there will be more choice of financial providers (and consequently methods of payment) and there will ultimately be a reduced risk of fraud.

There will be an extra step in the payment checkout process, where customers will have to use biometric authentication or codes to approve the payment, but this should be a seamless experience and not deter consumers from shopping online. According to a recent survey, 48% of consumers have already authenticated a payment using biometrics; and 61% believe using biometrics is a much quicker and more efficient way of paying for goods or services than traditional payment methods using only passwords[1].

SCA deadline extension

In an increasingly digital age and with the high rates of cybercrime and identity fraud, financial institutions and payment providers need to apply these regulatory rules in order to provide the highest level of security for their customers. According to Action Fraud, £34.6m was stolen from innocent victims between April and September in 2018, a 24% increase on the previous six months[2]. Despite reports that more than £190,000 a day is lost in the UK by victims of cyber-crime, the Financial Conduct Authority, a financial regulatory body in the UK, has granted an 18-month long extension for the enforcement of SCA[3]. The Financial Supervision Authority (FSA), the authority for overseeing banking and payment services in Poland has also followed suit and confirmed on the 19th August that they will delay the enforcement of SCA.

According to a recent survey, 48% of consumers have already authenticated a payment using biometrics; and 61% believe using biometrics is a much quicker and more efficient way of paying for goods or services than traditional payment methods using only passwords .

The new SCA rules have faced opposition from an industry which is seen to not be ready for the new digital era; new research from Stripe reported that just half of 500 businesses surveyed expect to be already compliant[4]. The delay from the financial services community in providing a more secure payment service for their customers is disappointing and worrying considering the increasing numbers of cyber-attacks each year. The financial institutions and payment service providers who have had nearly two years to prepare since the initial announcement, have unfortunately not put the safety of their customers at the heart of their operations – and there is no excuse.

Moving forward 

New and advanced technologies in the market have the potential to reduce the challenges posed by the new SCA enforcement. Basing the online authentication process on combining the customer’s own smartphone with an open biometric approach, will allow financial institutions to offer a low friction payment experience while meeting the new regulatory requirements – as it is far more secure than passwords or codes alone.

Indeed, financial institutions and payment service providers need to integrate new technologies into their customer services and move to a passwordless society. Passwords are easily compromised; it comes as no surprise that 81% of reported data breaches last year were due to poor passwords such as 1234[5]. There are easily incorporated multi-factor authentication solutions that rely on consumers’ digital devices, and more secure forms of biometric authentication, which will eventually render passwords obsolete.


[1] https://info.veridiumid.com/biometric-recognition-systems

[2] https://www.bbc.co.uk/news/uk-47016671

[3] https://www.fca.org.uk/news/press-releases/fca-agrees-plan-phased-implementation-strong-customer-authentication

[4] https://stripe.com/gb/newsroom/news/sca-impact-study

[5] https://www.tracesecurity.com/blog/articles/81-of-company-data-breaches-due-to-poor-passwords

Leave A Reply