Is your business preparing for an extra layer of authentication for online payments?
Payment services authentication is one of those 'horizon scanning' issues that internal audit should at least be asking questions of the business in relation to:
what preparations are being made
whether or not new policies and procedures are required
if any change management or training is needed and if so whether the business has scheduled it
what contingencies are in place if new procedures do not operate as intended in the early days – particularly if the services provided are considered critical/essential or time dependent.
In September, Strong Customer Authentication (or SCA) will have significant implications on how all businesses handle online transactions in the European Economic Area (EEA), where both payer and payee are in the region.
SCA, part of the PSD2 changes, requires an extra layer of authentication for online payments. It requires the use of two independent sources of validation by selecting a combination of two out of the three categories (two-factor authentication):
something you know (eg PIN)
something you have (eg card/phone)
something you are (eg fingerprint).
Many businesses will need to consider how they operate and advisers will need to consider how the change could impact their clients. The good news is that a number of exemptions exist, as outlined in this useful summary.
These exemptions includes that ‘when the transaction is initiated by a legal person (eg a business) rather than a consumer, and it is processed through a secured dedicated payment protocol, the Commission is satisfied that it does not require separate authentication, provided alternative controls are sufficiently secure'.
Certain transactions are also exempted, such as recurring payments and purchases under €30. But even some of the low-value transactions may be challenged, for example if the combined value of several unchallenged transactions goes above €100. Businesses may also need to consider if they should point out to customers that they can ‘whitelist’ businesses with their card issuer. This will mean that they would not need to authenticate themselves for future purchases.
However, much depends on how card providers set up their systems and the options available.