The AirPlus Global

The role of SCA in the rise of mobile payments

Written by Connor Avis | Dec 16, 2021

Security of payments will always be a priority. However, the shift to digital platforms and online payments makes things much more complicated. And now with regulations like Strong Customer Authentication (SCA) coming into the picture, the way we secure our payments online is changing – and mobiles may benefit from this the most.

Looking back at how mobile payments are not only seeing growing use, but are on fact becoming the norm, it seems that there may be a sort of synergy emerging. That is to say: Are mobile payments going to benefit the most from SCA regulations and the push towards safer online spending?

The growing concern over payment authentication

Security is a big concern in a world where online spending is increasing, which is why developments and innovations in authentication are occurring in the first place. Authentication – the process in which we identify ourselves – has long taken the form of passwords and similar static means.

But over the years, these has proven to not be enough. Data suggests that payment fraud has been rising alongside the adoption of electronic payment transactions, like when making a purchase on e-commerce platforms.

In response to this, regulations have been mounting on the market to combat this.

That's where the topic of SCA comes in.

SCA in a nutshell

In essence, strong customer authentication (SCA) refers to the EU-wide regulations outlined in the second Payment Services Directive (PSD 2) that govern the security of payments online. It required that a kind of two factor authentication be introdcued to the online payment process where online shoppers must demonstrate two of three categories in order to process their payment: knowledge, possession and inherence.

You can read more about strong customer authentication's impact on payments in our dedicated post.

For today, we'll be looking at the state of authentication when it comes to online payments. More often than not for these payments, the knowledge aspect is fulfilled by a password, with different cards and banks using a range of different means to fulfil the second factor.

But here lies the problem – passwords are not the most secure option, and so are falling out of favor.

The problem with passwords

Passwords and some other knowledge-based authentication methods have been getting bad press as of late – and for good reason. They are widely seen as one of the most insecure forms of authentication, with some estimates claiming that 80% of data breaches involve the use of passwords and other stolen credentials. [1]

Well actually, it’s the user that is the weak link, but they can hardly be blamed. The average person has around 80 passwords to remember, so it is somewhat understandable that 52% of people reuse their passwords across multiple accounts – which is not the best security practice to put it lightly. [2]

This also poses a problem for merchants too. Passwords are easily forgotten, especially if you try to follow proper password etiquette (different passwords for each account, complex/mixed characters etc.). Forgotten passwords are annoying, leading to some to give up and not proceed with their purchase.

The point here is that passwords and other knowledge-based authentication methods have their issues. This is becoming increasingly obvious to the point that other methods – namely possession and inherence – are now being preferred where possible.

This will require a pretty big shift in the paradigm, though we are already taking steps towards this. After all, there is a device that is widely used by a significant amount of the population that is able to cover the criteria for both possession and inherence which makes it perfect for meeting the requirements of SCA. That is, of course, the smartphone.

 

Smartphones as an authentication powerhouse

These days, smartphones are powerful devices with all sorts of features and sensors built in. The vast majority of modern smartphones have either a fingerprint sensor, microphone for voice recognition or face scanning capabilities that are ideal for facilitating secure processes.

Each of these authentication processes comply with the ‘inherence’ category, being something that you are. Even better is that they are quick and easy, especially when compared to remembering and then typing out a password. The majority of people are on board with this too. According to research by VISA, 73% of global consumers would feel comfortable using biometrics to make payments [3].

On top of this, as a digital device, mobiles have the means to comply with the possession category of PSD 2. This most often comes in the form of an OTP that is generated or received by your device, whether through a text or an app.

While not as frictionless as physical biometric methods due to the delay that usually occurs, it is still a lot more preferable to passwords. Despite there being other SCA-compliant methods, it is interesting to see how the two mentioned here in particular can be done on a single device and may go some way to explain how and why mobile payment is growing so fast.

Sure, a lot of this can be put down to the pandemic and the general increase in compatibility, but this SCA-compliance may give it staying power even after things return to normal. This is not to mention mobile wallets, either.

The role of mobile wallets

Mobile wallets are pretty much just that: digital wallets that are stored on devices like your smartphone. They store your card details securely and can be used to make and authenticate payments.

There is a wide selection out there, with the card-based wallets Apple Pay and Google Pay being the most popular. In short, these mobile wallets store the relevant card details and so the user does not need to input them each time they make a purchase.

This is important for security as users don’t need to share their card details with each and every site they buy from, reducing the chance that they will fall into the wrong hands. This also improves the user experience. But what is important for this topic is the convenience.

Mobile wallets allow you to carry multiple cards on one device. The cards stored in the wallet can then be used to make payments both online and in-store where such payments are supported.

Distribution is also worth a mention here. In digital form, cards do not need to be printed and then physically sent out to each individual. Instead, this can be distributed remotely and in an instant. This has obvious benefits in time and cost, while also enabling businesses to empower more employees with access to payment.

There is a clear conclusion to be made here – smartphones are one of the most convenient platforms for making secure online payments. However, other devices and methods are being developed to address this gap.

 

Behavioral biometrics: The future of digital authentication?

Payment processors can’t simply overlook the desktop or browser experience where physical biometric inputs such as fingerprint scanners are not prevalent. This group still makes up a sizable portion of the user base, and so not optimizing the experience for them would be a massive oversight.

Thankfully, that is where new innovations such as behavioral biometrics come in.

Behavioral biometrics refer to verification methods that measure uniquely identifiable patterns in the way a user interacts with their device. For example, the dynamics of your keystrokes can help identify you – even the way you scroll/swipe on the screen of your device can be used to single you out from other users.

As you can imagine, this method is not easy to develop. It is powered by machine learning that will learn these patterns and effectively teach itself what to look out for – the patterns of behavior of each and every individual user.

It may therefore take some time for behavioral biometrics to become widespread, providing more time for the smartphone to take hold of the market.

A step closer towards invisible payments

On the journey towards invisible payments, SCA can be a major hurdle. However, developments of behavioral biometrics and other similar innovations may help to overcome that.

Invisible payments describe payments that involve little or no input from the customer. Think about apps like Uber, where the payment takes place automatically after you reach your destination. That wouldn't be possible if you needed to input your password or scan your fingerprint each time.

With behavioral biometrics, it would be possible to recognize not only how you use your device, but potentially also when and where you are going. If it's a destination you visit regularly then it should help alleviate the need for input.

Only time will tell the actual implications of this innovation on invisible payments, but there does seem to be great potential in this regard.

What this all means for SCA and online payments as a whole

While all this talk of passwords and biometrics seems to be a bit of a tangent for this subject, it is worth talking about. It’s just one example of the innovation that is going on in this space in response to the increased pressure being applied by SCA. There are likely many more methods being worked on that may lead to the demise of passwords to make payments easier and less stressful while also being more secure.

In the end, security is only as strong as the weakest link, and passwords are most often seen as the most vulnerable part of the chain. While this may have been an issue before, SCA has pushed such authentication issues into the forefront which has led to increased efforts to tackle them. However, it’s not necessarily new techniques being adopted. Rather it is a shift to a different device.

And what about business scenarios? What impact will an emphasis on mobile payments have on the corporate payment process?

Actually, as part of the continuing consumerization of corporate payments, purchases using digital wallets from mobile applications may become the norm. Such tokenized, B2B payment through mobile applications would increase accessibility – something important for a remote workforce. [4]

This is because businesses will be able to provision digital payment methods such as virtual cards out to people's smartphones, ultimately leading to an increase in commercial card volume. [5]

The security brought about by the SCA-compliancy of smartphones makes this one of the safer options, at least on a technical level.

 

Mobiles: The ultimate payment device?

So then, what conclusions can we draw from this? One is that mobiles arguably offer the most frictionless payment experience. This ease of use may well lead to more buyers to make their purchases through their mobile device. The data shows that this is also true for business scenarios.

The EU and other masterminds linked to this likely saw the growing usage of smartphones and more specifically mobile payments and so designed the regulations around the platform.

Whatever the reasoning, smartphones will be the biggest winners, at least until other devices such as desktops or laptop computers start to incorporate the appropriate technologies (i.e. fingerprint sensors, facial scanners etc.) that will make them compliant while also keeping the user experience in mind.

Looking beyond that, new innovations like behavioral biometrics will make this even easier, though it is a question of if and when such a method would be compliant under the SCA initiative. For the time being, we may well have the answer here as to why mobile payments are on the increase: convenience.

Subscribe to the AirPlus Global Newsletter now to stay up to date with the latest news and articles like this from AirPlus.

 

[1] https://www.verizon.com/business/resources/reports/dbir/

[2] https://www.theguardian.com/technology/2021/jan/31/the-tyranny-of-passwords-is-it-time-for-a-rethink

[3] https://fidoalliance.org/strong-customer-authentication-biometrics/

[4] https://www.pymnts.com/news/payment-methods/2020/mobile-payments-start-a-revolution-in-corporate-cards/

[5] https://www.globalpayments.com/en-ca/insights/2020/11/20/corporate-payments-go-mobile-through-tokenization-as-a-service