What is Strong Customer Authentication (SCA)?
The History of SCA
Authentication of any ecommerce transaction using traditional methods has had its limitations in the past. The use of a password or other authentication methods such as the Address Verification Service or the Card Verification Value enable a multi-layered fraud prevention approach when consumers make purchases online. Whilst these are effective in preventing some fraud up to a point, there’s always a need to make online purchases more secure. Criminals use increasingly sophisticated methods to circumvent merchants’ and issuers’ fraud prevention tools so it’s important that the techniques to prevent fraud evolve. SCA is part of that evolution.
SCA and PSD2: A Regulatory Framework
SCA is a fundamental element of The Second Payment Services Directive which came into force in Europe in January 2016. Known as PSD2, it brought about regulatory changes and requirements for payment service providers across Europe and the UK which, among many other regulations, introduced the requirement for all players within the payments industry to enhance the authentication of payments as part of a wider initiative to improve consumer protection.
Whilst PSD2 came into national law for EU member states in January 2018, the implementation of SCA ran to a different timetable. In Europe, SCA has been in force since December 2020; however, to ensure minimal disruption to merchants and consumers, the deadline for final implementation in the UK was extended from September 2021 to 14 March 2022.
What is SCA?
SCA offers a more robust way to authenticate an online payment by requiring two of three elements of verification to help ensure the person making the payment is the actual cardholder. The three elements are:
- Something known – a password, pass phrase, or PIN
- Something owned – a mobile phone, wearable device, card, or token
- Something inherent – fingerprint, face ID, voice pattern
What Methods Comply?
3D Secure and its updated version 3D Secure 2 both comply with SCA, with 3D Secure 2 being the preferred method as it offers customers a more streamlined checkout process. 3D Secure 2 requires two-factor authentication, during which it uses 2 out of the 3 pieces of information to authorise the transaction, most commonly by sending a one-time passcode to the customer’s mobile device for them to enter into the checkout page for successful authorisation.
Digital wallets also comply with the regulations in that a fingerprint or face ID from a mobile device is required to authenticate the transaction. Apple Pay and Google Pay are the two main players in this space, with more and more users attracted by its enhanced security through tokenization, utilizing this method of payment.
Exemptions to SCA
There are some exemptions to the regulations which may not require SCA:
- Low-value transactions such as those under £30/€30
- Low-risk transactions from a Payment Service Provider that has low fraud levels across all its platforms
- Corporate payments where the card is not in the name of an individual
Future Prospects and Global Coordination
So, SCA is part of EU and UK regulations but what about the U.S payments industry? Will SCA implementation stretch across the pond? Currently, there are no requirements for U.S banks and payment service providers to comply with any PSD2-type regulation. However, how long will this be the case? It may not be a matter of “if”, but “when”. There are no clear signs that regulations along the lines of PSD2 are being considered by the regulators in the US, but it would seem that tackling a global problem like financial crime, of which fraudulent payments are a part, a coordinated global strategy is needed.
The question that arises, however, is that if any additional fraud prevention protocol causes friction in the purchase journey, albeit some would consider very little friction, and therefore potentially increase purchase abandonment, would that affect any voluntary implementation?
Merchants may consider the risk of purchase abandonment too high when compared to the potential threat of fraudulent payments if they are not obliged by regulation to comply. This may, however, be a case of swimming against the tide as there is a very strong argument for the alignment of SCA across all global jurisdictions rather than a fragmented approach. It’s not just the EEA and UK that are leading the way with SCA; Australia, Turkey, and Mexico are following similar paths with the adoption or at least considering the implementation of SCA within their payment ecosystems.
SCA and Impact on Chargebacks
How will the use of SCA affect chargebacks? We know that 3D Secure 2 is a SCA-compliant payment method. It is therefore more secure for customers and will increase authorisation rates. It also protects the Ecommerce merchant from fraud-related disputes in that there is a liability shift for such claims from the merchant to the issuing bank. This can be of significant benefit against spurious fraud claims, whereby if a cardholder attempts to claim a genuine transaction as fraud, the merchant is protected if the authorization was facilitated using 3D Secure 2. With the ever-increasing instances of first-party misuse, or friendly fraud as this practice is otherwise known, the use of 3D Secure 2 as part of the cardholder verification process can be a huge benefit to Ecommerce merchants and ought to be a particular consideration for those looking to reduce their chargeback ratios.