The truth about Strong Customer Authentication (SCA)

Up until this point, the standard tool used to verify the authenticity of online transactions was the 3D Secure 1.0 system (3DS1). To make this stronger form of authentication possible, an update of the 3D Secure system from 1.0 to 2.0 was necessary. So now, along with the introduction of SCA, card schemes are adopting 3DS2 in order to better comply with SCA.

Don’t get lost in the acronym jungle. It’s pretty clear once you see how they are all connected:

• PSD2 ⇒ A directive outlining the general goal of open banking, data sharing and security
• SCA ⇒ A requirement of PSD2, stating that two out of three elements are needed for authentication
• 3DS2 ⇒ The authentication tool that makes compliance with SCA possible

SCA adds friction and hurts conversion

So what does SCA mean for business? SCA is amazing because it makes payments secure and gives businesses a leg up in the battle to eradicate fraud. However, you need to be aware of the drawbacks. SCA adds friction to the shopping experience. Users had just gotten the hang of online shopping and now they need to learn new tricks like using biometrics at checkout. There’s no way of avoiding it. European banks will be required to decline payments that don’t meet the SCA standard.

While we’re waiting for 3DS2, let’s look at 3DS1. In April 2019, Ravelin released a shocking report on the effects of 3D Secure. After analysing millions of global business transactions, they found that 22% of payments were lost as a result of using 3DS.

A study by 451 Research suggests the European economy is likely to miss out on €57 billion in the first twelve months after SCA comes into force.

SCA exemptions

Luckily, there are various exceptions to the rule. The following are the most common:

Transactions (partly) outside the EEA
For SCA to apply to international transactions, both countries (that of the user and the seller) need to be located within the EEA. In other words, a transaction between a user in the USA and a German eCommerce website is exempt from SCA. However, some European banks might choose to apply SCA anyway.

People often refer to PSD2, GDPR, SCA etc as European. However, Europe is not synonymous with the European Union and the Union doesn’t quite cover it either. SCA applies to all businesses operating within the European Economic Area (EEA). That’s the European Union, plus Iceland, Liechtenstein and Norway. Note that Switzerland is not part of the EEA.

Low transaction value
Moreover, transactions with a value under €30 are exempt from SCA.

Low transaction risk
Issuing banks or acquirers can apply for an exemption for low-risk payments on the basis of Transaction Risk Analysis (TRA). In order to be considered for the exemption, fraud rates for remote card payments need to be between one and six basis points.

Trusted beneficiaries
After completing a payment with SCA, users will increasingly be able to whitelist trusted merchants. The next time a purchase is made, SCA will be bypassed. Whitelisting will become more commonplace as more card issuers start supporting it.

Excluded / Out of scope

The following transactions are excluded from SCA as they fall outside the scope of the regulation:

• MOTO: Transactions completed over the telephone or via mail order.
• MIT: Merchant initiated transactions (MIT) like recurring payments or subscriptions.

Frictionless flow and chargeback liability shift

The Payment Services Directive (PSD2) includes provisions that allow merchants to soften the blow of SCA to the consumer experience. One such provision is ‘frictionless flow.’

Frictionless flow allows SCA measures to be bypassed. In other words, eligible merchants will be able to offer their consumers a checkout experience without any added friction.

Frictionless flow can only be applied to transactions that meet certain criteria; the size of the purchase in relation to the fraud rate of the merchant (acquirer).

For example, for transactions up to €100, frictionless flow is allowed only if the fraud rate is less than 0.13%. For transactions up to €250 and €500, the fraud rate cap is set at 0.06% and 0.01% respectively.

Frictionless flow is very beneficial to eligible merchants as it minimises the risk of cart abandonment. However, the merchant is liable for any chargebacks that occur through frictionless flow.

Still, there is an exception. If and when an issuing bank does not trust a transaction and refuses to grant frictionless flow, the consumer is presented with an authentication challenge. If the consumer passes the challenge, the chargeback liability shifts towards the issuing bank.

What can businesses do to soften the blow?

The bottom line is that conversions affect, well, your bottom line. It is of utmost importance that visitors carry out their purchases as intended, regardless of the new authentication measures. To that end, the best thing you can do is be upfront about it.

Own it. Inform your users that you’re proud to offer a secure shopping experience. Tell your customers that checkout is as safe as it can be because of your adherence to the latest standards. Most of all, tell them early, don’t wait until they are at the checkout phase.

Certain payment methods are intrinsically (in and of themselves) SCA-proof, for example, Apple Pay and Google Pay. Both of which already combine the OWN and ARE elements. Using a payment method like Apple Pay therefore automatically reduces the perceived friction.

Finally, the best thing you can do is ally yourself with an expert in the field of payments. Not sure whether your payment transactions meet the SCA standard? Looking for a partner that offers local payment methods that Europeans love and trust? Alphacomm can help. Let’s get in touch!

Questions? Get in touch!

For any additional information or inquiries related to Strong Customer Authentication (SCA), feel free to contact us.