With Strong Customer Authentication (SCA) a little over two weeks away for European merchants, it should be the top priority – as not following the SCA guidelines put forth by the European Banking Authority (EBA) means that sales will be denied, frustrating both the merchant and the customer.
Payment Expert spoke to Alessio Rodia, Product Manager for PXP Financial, about the importance of SCA for firms as the deadline approaches.
Payment Expert: How is SCA achieved?
Alessio Rodia: Strong customer authentication (SCA) is part of the revised Payment Services Directive (PSD2), which is a package of measures introduced by European regulators, to help make online banking and payments more secure. While the deadline in the UK is not until the 14th September 2021, for the rest of the European Economic Area it is the 31st December 2020, meaning merchants who operate in the EEA need to be prepared for it.
The aim of introducing SCA is to reduce payment fraud and it does this through the use of multi-factor authentication. This means payment providers must ask for multiple forms of identification. Customers must provide this in order for a payment to be approved, and these fall into three categories (of which two must be supplied):
- Knowledge: something the payer knows (i.e. password)
- Possession: something the payer has (i.e. token)
- Inherence: something the payer is (i.e. fingerprint)
Payment Expert: Why is SCA so important?
Alessio Rodia: SCA is important because it will help to protect customers by fighting against fraud. This has been an ongoing endeavour for many years, however, it was previously something that was optional. Now the authentication model is mandatory and the new SCA requirements are a significant change to the current e-commerce model for card payments. So understanding them is vital.
From 2021 SCA will be compulsory for every e-commerce transaction, unless an exemption applies or it’s deemed out of scope. Secondly, the responsibility for authenticating customers will sit with service providers (issuers and acquirers in the case of card payments), not merchants.
Payment Expert: How does it affect cardholders and what needs to be done to get consumers on-board?
Alessio Rodia: Cardholders may be asked for additional information when they make a card payment online. If the nature of the transaction is deemed as low risk by the card’s issuer, such as you always order a takeaway via the same company, on the same device, using the same card at regular intervals, then there will be no request for additional information – this is referred to as “frictionless flow”.
In cases where the transaction is deemed as high risk by the card issuer, such as buying a new TV at 3AM on a device you’ve never used before, then the cardholder will be asked for additional information by the card issuer to verify they are who they say they are, using 2 of the 3 factors – this is referred to as “challenge flow”.
SCA exists to the benefit of the customer as it will prevent fraud cases, but from the outside looking in, it may initially just seem like a frustrating extra step in the payment journey. So, to get the customer onboard it is important for merchants and customer-facing staff to explain this to them clearly.
Customers value security and according to PWC 85% of them won’t share their business with a company if they have concerns about its security practices, and as long as they are aware that SCA benefits them, they should be happy to comply.
Payment Expert: How can a merchant be exempt from SCA?
Alessio Rodia: There are a number of scenarios where SCA is not applicable or the merchant is exempt from supplying it. The most common of these cases will be when it is impossible to get authentication from the customer, such as when a payment is being made over the phone, at unattended devices such as a parking meter or when payment is being initiated by the merchant (like with Direct Debit).
Other exemptions can include when a low-value contactless payment is made (€50 in store and €30 online). In these cases there is a cumulative limit for customers making these kinds of payments before they need to authenticate (€150 and €50 respectively), or five consecutive transactions.
Then there are exemptions made where there are already approved anti-fraud measures in place. These will often need approval from the region’s finance body first, but secure corporate payments, and when transaction risk analysis tools are in place, transactions can be exempt from SCA also. This includes when the cardholder ‘white-lists’ a trusted beneficiary.
As you can see, there are many ways for a payment to be exempt from SCA and understanding an exemption can lead to less stress for the merchants down the line as they can accept the transaction without fear of it being declined.
Payment Expert: What is the punishment for ignoring SCA?
Alessio Rodia: If SCA is ignored, the punishment is a simple one. The merchant will experience higher than usual declines. After the deadline for SCA has passed, issuers will start declining all transactions, as required by law, that do not request authentication or invoke an exemption.
Those who have not updated their process flows, may also miss out on some of the functionality within the new Secure 3DS 2.0 protocol for frictionless flows. For example, the ability to pass more data to issuers for better risk scoring, and optimise the check-out flow for shoppers on mobiles, tablets and in-app.
Payment Expert: What long-term effects will SCA have on the industry?
Alessio Rodia: SCA will not be achieved overnight, and at the beginning of 2021 we will likely have a teething period, however, in the long run it will be a massive benefit to the industry. The number of people shopping online has already increased by 37% from last year according to data from LexisNexis and with that, fraud levels are also up. As the objective of SCA is to decrease the number of payment fraud cases, as time moves on, customers will become familiar with the new verification methods, realising the benefits, and any initial pushback should subside.
Anti-fraud and other authentication methods like this are always evolving and this is simply the next step in the chain.