When Two Worlds Collide
MWC Insider Blog
February 27, 2020
By Paul Rodgers: Chairman, Vendorcom; Panel Member, UK Payment Systems Regulator; European Payments Evangelist, World Wide Web Consortium (W3C)
We are in a networked world where technologies from multiple sectors must interoperate to create frictionless experiences for citizen/consumers. This is becoming ever more apparent in the world of payment transactions, particularly with the emerging need to authenticate those transactions to a much greater level.
The new Strong Customer Authentication (SCA) regulations that were to become effective on 14th September 2019 are designed to reduce fraud in the e-commerce, mobile, and remote payment ecosystems. The challenge, when these regulations were drafted, was that little thought had been given as to how to provide the two-factor authentication required for payment card issuers to be compliant. This risked (and continues to risk) both the integrity of the online card payments ecosystem and economic growth that has powered the European economy for over two decades.
The two factors could be drawn from three elements: knowledge, possession, or inherence; often described as something you know, something you have or something you are.
Over the past 18 months, most of the regulated entities have decided that one-time passcode (OTP) by SMS will be the best way to deliver one of those factors. Initially, an OTP was thought of as providing a knowledge factor but then the European Banking Authority stepped in in June 2019 and declared that an OTP is not ‘knowledge’ but rather was considered to be a ‘possession’ factor, indicating, as it does, that the user is in possession of a mobile phone SIM.
We now have the challenge of defining what the second factor will be and that’s beginning to look like we’re searching for the holy grail, especially if it’s not going to add unwanted friction into the payment and checkout process!
Whilst that search continues, some of us haven’t lost sight of the fact that OTP by SMS is not quite the panacea that it was initially thought to be – and that’s where the worlds of the mobile networks and payments collide. It will take both ecosystems working together to solve the challenges of making even the first, possession, factor seamless.
Millions of mobile phone customers across Europe have little or no access to a mobile signal of sufficient integrity to reliably transmit an SMS to a payment cardholder who will be dependent on its arrival in a timely manner if they are to be able to complete an online purchase.
As we used to have internet cafés before we all had broadband Wi-Fi at home, I am seeing the need for many to travel to an SMS café if the future of ecommerce payment authentication continues on its current trajectory.
I’d be interested to hear how readers feel the payments and mobile network communities could come together to provide a more robust approach that will keep the mobile phone in the authentication channel for ecommerce.
You can keep in touch Paul’s updates on SCA on LinkedIn by following the #SCAday tag or by connecting with and following Paul on linkedin.com/in/paypaul.