Can payment authentication be frictionless?

For banks and payment service providers, the rollout of Strong Customer Authentication (SCA) under the revised Payment Services Directive has added a layer of complexity to payment security that has many wondering whether or not payment authentication can still be frictionless.

Intended to make online payments more secure, the rush to implement SCA-compliant solutions has also created a number of challenges for financial institutions, most notably an increase in failed transactions and frustrated customers.

Recent data from Barclaycard Payments highlights that over 43,000 daily transactions, totaling £3.64 million, were declined in February this year alone because of the changes.

E-commerce companies are suffering too. Research conducted by Forter in 2019 indicates that approximately one in three transactions are lost owing to complex authentication flows.

In this article, we’ll explore the impact that SCA is having on the financial services sector’s ability to offer secure and frictionless payments to its retail and merchant customers.

The cost of PSD2 SCA 

In theory, the payment experience for consumers should be one of enhanced security with fewer instances of friction. Instead, the requirement for SCA has seen legitimate customers being treated like they are committing fraud because an online store’s payment partner isn’t PSD2 SCA ready.

And while many banks and PSPs did manage to implement an MFA solution ahead of the SCA deadline, some rushed to do so, and as a result, are now dealing with numerous security and user experience issues caused by complex authentication flows and new security vulnerabilities.

Strong authentication doesn’t always mean better security

Cryptocurrency exchanges, which fall outside of the scope of PSD2 regulation (for now), but have championed MFA for years, are still heavily targeted by fraudsters, which begs the question: is adding multiple authentication steps really the best way to prevent payment fraud and account takeover?

Despite mandating MFA for its users, $14 billion was lost to crypto fraud last year (2021), almost double the figure from the previous year.  This highlights that preventing fraud is not as simple as PSD2 SCA would make it seem. In fact, adding additional authentication challenges to inherently weak and incumbent security solutions is comparable to putting a newspaper over a broken window. 

What financial services organizations must realize is that merely falling in line with PSD2 SCA is no guarantee of strong security. In fact, choosing a partner that makes authentication more complicated than it needs to be can damage profitability and undermine payment security goals altogether.

This, combined with the data around revenue loss, should be enough to convince the industry to embrace new technologies that enable seamless and compliant payment solutions that make security intuitive for users.

Making payment security intuitive 

The financial services industry can benefit greatly from solutions that make payment security intuitive for users and the best way to do this is by reducing the number of steps required to authorize a payment.

Many organizations are embracing passwordless solutions, but the financial services industry is partly reliant on PINs, OTPs, and passwords – all of which have been proven to be insecure.

How can this be done? The key to making security intuitive is to eradicate these methods that require conscious user efforts, such as passwords and OTPS. These methods rely on customers being more security-aware than fraudsters whose strategies are only becoming more sophisticated, large-scale, and successful.

By simplifying payment authentication and embracing passwordless, the financial services industry can not only reduce fraud but decrease the volume of failed and abandoned transactions caused by traditional authentication methods.