What do the new identity check rules mean for merchants?

From 14 March, change to anti-fraud measures will mean retailers will be expected to verify their customers’ details more thoroughly. Here’s what you need to know…

What are the changes?

The Financial Conduct Authority (FCA) is introducing new rules to ensure the verification system for electronic purchases are more robust. These measures – known as Strong Customer Authentication (SCA), will mean anyone buying high-value goods online with a debit or credit card will face more stringent identity checks to verify they are who they say they are. This will be in the form of an additional level of security, meaning they will have to provide two out of three pieces of information to complete their purchase (typically including inputting their existing password, a one-time passcode sent to them via text or landline, entering a PIN or logging into their banking app to approve a transaction).

What does this mean for the consumer?

In practice, this will mean online shoppers will face an extra stage to a purchase and potentially see more ‘card declined’ messages. It is important to note that this will not apply to smaller ticket purchases (where background checks will continue as before) – and nor will it apply to purchases made through smartphones. The EU describes any payment under €30 (£25) as ‘low value’ – although this is not a strict threshold, so some higher value purchases will not necessarily require SCA. (Although the new measures are the result of legislation from the European Banking Authority, they were adopted into UK Law before Brexit.) Likewise, if there are multiple smaller payments from one card,­ or the consumer has not shopped online with that particular retailer before, they may face extra identity checks.

Why is this happening now?

It actually should have happened a year ago, but the FCA delayed the imposition of the new rules in order to give retailers time to prepare. The measures are needed to combat the growing threat of fraud related to online purchases. Criminals are estimated to have stolen £750m through online fraud in the first half of 2021 alone, with the UK government’s National Cyber Security Centre (NCSC) issuing a public warning in December, having revealed almost 100,000 people in the UK had fallen victim to it in just over a year. Additionally, research by TransUnion in the US saw a 25% rise in digital fraud during the holiday season (between Thanksgiving and Cyber Monday) compared to the rest of the year. In effect, this meant 17.46% of all e-commerce transactions globally were fraudulent during that period.

How does it affect retailers and merchants?

In short, the government has put the onus on retailers to verify that their customers are who they say they are. All merchants need to have robust SCA measures in place by the 14 March 2022 deadline. Mastercard predicts the new rules will affect 25% of online transactions (previously, only 1% of online purchases required an additional security measure). Those merchants who do not have the correct anti-fraud checks in place run the risk of payments being declined. Retailers will also have to be prepared for online customers who do not have a mobile phone (or have a poor signal at home), requiring an alternative method of identity verification (e.g. via a message sent to their landline or by using card reader technology).

There’s no doubt these rules are needed – no-one wants to fall foul of online fraud – so you will need to ensure your business is SCA-ready to avoid more transaction headaches…