The truth about Strong Customer Authentication (SCA)
Strong Customer Authentication is coming and it arrives – bearing headaches – on September 14th 2019. The impending implementation of SCA is part of the revised Payment Services Directive (PSD2) that came into force on January 18th 2018.
For a refresher on PSD2, check out our article ‘An explanation of the revised Payment Services Directive (PSD2).’
But what is SCA exactly?
The Revised Payment Services Directive (PSD2) outlines that payments are to be made more secure and that platforms need to be open for integration. SCA specifically, refers to the way in which payments are made more secure. As of September 14th, online shoppers will need to verify their identity by sharing two out of three required elements:
- Something they know (password, pin, secret fact)
- Something they own (phone, wearable, hardware token)
- Something they are (fingerprint ID, facial ID, voice ID, retina scan)
Up until this point, the standard tool used to verify the authenticity of online transactions was the 3D Secure 1.0 system (3DS1). To make this stronger form of authentication possible, an update of the 3D Secure system from 1.0 to 2.0 was necessary. So now, along with the introduction of SCA, card schemes are adopting 3DS2 in order to better comply with SCA.
Don’t get lost in the acronym jungle. It’s pretty clear once you see how they are all connected:
- PSD2 ⇒ A directive outlining the general goal of open banking, data sharing and security
- SCA ⇒ A requirement of PSD2, stating that two out of three elements are needed for authentication
- 3DS2 ⇒ The authentication tool that makes compliance with SCA possible
SCA adds friction and hurts conversion
So what does SCA mean for business? SCA is amazing because it makes payments secure and gives businesses a leg up in the battle to eradicate fraud. However, you need to be aware of the drawbacks. SCA adds friction to the shopping experience. Users had just gotten the hang of online shopping and now they need to learn new tricks like using biometrics at checkout. There’s no way of avoiding it. European banks will be required to decline payments that don’t meet the SCA standard.
While we’re waiting for 3DS2, let’s look at 3DS1. In April 2019, Ravelin released a shocking report on the effects of 3D Secure. After analysing millions of global business transactions, they found that 22% of payments were lost as a result of using 3DS.
A study by 451 Research suggests the European economy is likely to miss out on €57 billion in the first twelve months after SCA comes into force.
Luckily, there are various exceptions to the rule. The following are the most common:
Transactions (partly) outside the EEA
For SCA to apply to international transactions, both countries (that of the user and the seller) need to be located within the EEA. In other words, a transaction between a user in the USA and a German eCommerce website is exempt from SCA. However, some European banks might choose to apply SCA anyway.
People often refer to PSD2, GDPR, SCA etc as European. However, Europe is not synonymous with the European Union and the Union doesn’t quite cover it either. SCA applies to all businesses operating within the European Economic Area (EEA). That’s the European Union, plus Iceland, Liechtenstein and Norway. Note that Switzerland is not part of the EEA.
Low transaction value
Moreover, transactions with a value under €30 are exempt from SCA.
Low transaction risk
Issuing banks or acquirers can apply for an exemption for low-risk payments on the basis of Transaction Risk Analysis (TRA). In order to be considered for the exemption, fraud rates for remote card payments need to be between one and six basis points.
After completing a payment with SCA, users will increasingly be able to whitelist trusted merchants. The next time a purchase is made, SCA will be bypassed. Whitelisting will become more commonplace as more card issuers start supporting it.
Excluded / Out of scope
The following transactions are excluded from SCA as they fall outside the scope of the regulation:
- MOTO: Transactions completed over the telephone or via mail order.
- MIT: Merchant initiated transactions (MIT) like recurring payments or subscriptions.
Frictionless flow and chargeback liability shift
The Payment Services Directive (PSD2) includes provisions that allow merchants to soften the blow of SCA to the consumer experience. One such provision is ‘frictionless flow.’
Frictionless flow allows SCA measures to be bypassed. In other words, eligible merchants will be able to offer their consumers a checkout experience without any added friction.
Frictionless flow can only be applied to transactions that meet certain criteria; the size of the purchase in relation to the fraud rate of the merchant (acquirer).
For example, for transactions up to €100, frictionless flow is allowed only if the fraud rate is less than 0.13%. For transactions up to €250 and €500, the fraud rate cap is set at 0.06% and 0.01% respectively.
Frictionless flow is very beneficial to eligible merchants as it minimises the risk of cart abandonment. However, the merchant is liable for any chargebacks that occur through frictionless flow.
Still, there is an exception. If and when an issuing bank does not trust a transaction and refuses to grant frictionless flow, the consumer is presented with an authentication challenge. If the consumer passes the challenge, the chargeback liability shifts towards the issuing bank.
What can businesses do to soften the blow?
The bottom line is that conversions affect, well, your bottom line. It is of utmost importance that visitors carry out their purchases as intended, regardless of the new authentication measures. To that end, the best thing you can do is be upfront about it.
Own it. Inform your users that you’re proud to offer a secure shopping experience. Tell your customers that checkout is as safe as it can be because of your adherence to the latest standards. Most of all, tell them early, don’t wait until they are at the checkout phase.
Certain payment methods are intrinsically (in and of themselves) SCA-proof, for example, Apple Pay and Google Pay. Both of which already combine the OWN and ARE elements. Using a payment method like Apple Pay therefore automatically reduces the perceived friction.
Finally, the best thing you can do is ally yourself with an expert in the field of payments. Not sure whether your payment transactions meet the SCA standard? Looking for a partner that offers local payment methods that Europeans love and trust? Alphacomm can help. Let’s get in touch!
Questions? Get in touch!
For any additional information or inquiries related to Strong Customer Authentication (SCA), feel free to contact us.
Let's make it happen!
3011 VH Rotterdam
3011 VH Rotterdam
© Copyright Alphacomm B.V. | Made with <3 in Rotterdam