New Whitepaper Explores How SCA Rules Will Impact Merchants
Authenticating buyers is a basic component of merchant risk management. With Strong Customer Authentication (SCA) standards now in place in the European market, merchants are expected to make it more of a priority than ever before.
The SCA rollout will continue through to late 2021, though that could change of course. The timeframe for compliance has already shifted multiple times across different markets on the continent. The rollout has been a staggered process, with some countries already expected to comply, while others have additional months of gradual enforcement.
These rules were introduced to the European market under the new Payment Services Directive (PSD2) protocol adopted several years ago. In the simplest terms possible, SCA standards require merchants to collect additional verification information for cardholders prior to completing a transaction. Now, merchants must verify buyers by at least two of the following three methods:
- Possession: This is something the user physically possesses, like a credit card. If the user can verify the CVV on the back of the card, it is reasonable to presume the user possesses the card.
- Knowledge: Something the user knows. A user might have a PIN code attached to the account in question, so verifying the PIN provides additional identity verification.
- Inherence: Something the user inherently is. A biometric impression, like a fingerprint or facial scan, would fulfill this requirement.
SCA: Problems and Potential ExemptionsMerchants have already raised concerns about increased friction during the checkout process due to SCA. That is a well-founded concern; as cited in the report, test data from Microsoft found that only 76% of browser-based transactions could be verified using SCA. For app-based purchases, the figure sinks to just 48%. Furthermore, SCA requirements prompted 14% of browser-based shoppers to abandon their purchases. With app-based shoppers, a quarter of potential buyers abandoned their carts.
Worrying as that may be, there are other roadblocks to consider. We are likely to see some confusion about SCA liability and applicability with different regions and transaction types to name just one. There is also the risk of complacency in other areas of fraud management; given that 60-80% of all chargebacks may be cases of friendly fraud, this is a mistake merchants cannot afford to make.
But with these considerations come a bounty of opportunities. With the right procedures, it should be possible to eliminate many of these concerns. First, we have to note exemptions to SCA the rules. If any of the following apply to a transaction, then the merchant is not required to deploy SCA:
- Merchant-Initiated Transactions: SCA may be needed for an initial transaction. But, any subsequent merchant-initiated transactions, like rebills, are exempt afterward.
- Mail Order: Transactions initiated by mail or telephone are exempt, as it would be too difficult to enforce SCA protocols through these channels.
- Prepaid Card Transactions: Prepaid cards are anonymous. Therefore, SCA would not have any effect on these purchases.
- "One-Leg" Transactions: SCA is part of EU legislation. As such, it is only required if both the payer and the payee are located within the EU's jurisdiction.
- Low-Value Purchases: Merchants are not required to enforce SCA rules for transactions with a total value of less than €30.
- Whitelisted Transactions: After one SCA-verified purchase, a consumer has the option to whitelist merchants. This allows them to bypass SCA requirements for subsequent purchases.
- Corporate/Virtual Card Transactions: Buyers may skip SCA requirements if using a virtual payment card, or a corporate card not issued in the customer's name.
What About Transaction Risk Analysis (TRA)?In addition to the exemptions outlined above, there's also Transaction Risk Analysis, or TRA. This could be a key asset for merchants; with TRA, we may be able to exempt most transactions from SCA requirements.
TRA refers to a process of real-time behavioural observation and analysis conducted during a transaction. TRA looks at key fraud indicators and evaluates risk for each individual transaction. This is done without increasing friction on customer experience.
This is a great asset, but it is not directly under the merchant's control. TRA is deployed at the institutional level and the merchant's ability to take advantage of it depends on the acquirer's track record regarding fraud prevention.
Let's assume that a merchant wants to take advantage of TRA on a transaction valued at less than €100. The merchant's acquirer would need to maintain a fraud rate of no greater than 13 bps (0.13% of total transactions) in the previous 90 days to deploy TRA on this transaction. The requirements are even more strict for higher-value transactions.
This underscores the importance of close collaboration between merchants and financial institutions to manage fraud. In fact, one's capability to deploy TRA may even factor into decision-making when securing processing and banking services.
Leverage Friction to the Merchant's BenefitTransaction Risk Analysis is a great asset to help strike that delicate balance between security and friction. But, even then, we must acknowledge that some degree of transaction friction is unavoidable.
The purpose of Strong Customer Authentication is to deter fraudsters by introducing friction. However, some legitimate cardholders will still be turned away by the additional screening requirements. Rather than accepting the situation as is, though, merchants may be able to leverage friction more effectively to stop fraud while retaining customers.
Not all points of resistance in the transaction process are created equally. Some will slow down processes with no tangible benefit to the merchant or cardholder, while others serve as valuable roadblocks to deter fraud with minimal impact on customers. The key is to distinguish between "positive" and "negative" friction points, and learn how to build on the former, while eliminating the latter.
Broken or dysfunctional product pages, slow response time, unnecessary and redundant fields during checkout, confusing or misleading page content are all negative points of friction. They slow down sales and frustrate buyers, but offer no benefit. In contrast, asking buyers to verify orders before finalising is a positive friction point.
Backend fraud tools like geolocation, velocity limits, blocked lists, and fraud scoring are all positive friction points. The same goes for making account creation an optional process, but requiring complex passwords.
Collaboration is KeyStrong Customer Authentication will introduce more friction to the transaction process. That is something beyond a merchant's control. However, with the right tools and practices in place, merchants can ensure that SCA only comes into account when necessary, and that any slowdowns resulting from SCA are offset by optimization elsewhere.
Merchants should work hand-in-hand with their processor to perform an overview of the customer experience from end-to-end. This will help pinpoint friction points to eliminate, and also identify opportunities to improve processes. Only then can merchants really get the most out of these new SCA requirements.
There are no related Events
To effectively fight fraud, it’s critical to understand the economic and geographical factors that drive attacks. These include financial factors like currency exchange rates, wages, cost of labor, and more.
This informative MRC Virtual session explores the idea of an Attack Incentive Index, an industry-wide index that effectively combines relevant economic data with known attack patterns to provide a holistic insight into attacker motivation.
When it comes to 3DS implementation, it’s not just Abandonment you need to worry about. Errors in the set-up at the Issuer or ACS side stop the challenge flow, and the options available to how people authenticate is also not always straightforward on a country-by-country basis.
This presentation provides merchant strategies to mitigate these concerns.
The value of IoT developments rests in allowing customers to disengage from tasks they would otherwise perform. This poses interesting challenges for merchants in connection with fraud and risk.
This presentation from a team of experts with a rich background in merchant fraud covers important considerations, such as:
- What will happen with traditional means of authentication that rely on actions from users?
- What changes will have to be made to payment systems?
- What new fraud patterns will attackers develop?
Collaboration is an important part of modern eCommerce, but it’s not always prioritized across industries and verticals the way it should be.
This presentation explores the results of a positive collaboration between a card network, issuer, and merchant, and details how it impacted approval rates by more than 10 p.p. This, in turn, directly reflected in sales and better Customer Experience, aligning with all stakeholder’s goals.
There are no related Surveys
This webinar examines four key SCA principles for the sector as well as payment flows where SCA applies, then discusses options for indirect bookings/indirect sales. After sharing a brief overview of the Secure Corporate Payment exemption, tips and resources are provided to help merchants, travel agents, acquirers, and issuers. A brief Q&A period concludes the broadcast.
In this webinar, Identiq explores what has changed from a risk perspective and what it means for fraud prevention. Three approaches companies can take to combat today's threats are also considered. An extensive Q&A period closes out the broadcast.
Better fraud prevention, all around.
Many organizations rely on two-factor authentication (2FA) using one‑time passcodes (OTPs) sent by Short Message Service (SMS) to authenticate banking and ecommerce transactions. 2FA performed this way can be fast and easy, but SMS wasn’t designed to be a security tool.
Learn how your organization can leverage voice biometrics to protect customers and your brand by building the highest levels of protection, trust and loyalty.
In Nethone's Frictionless white paper, you will learn:
- How to reduce checkout friction to maximise your revenue?
- How to manage UX friction associated with PSD2/SCA?
- How to prepare for Transaction Risk Analysis (TRA)
- How to keep your customers happy
- How to achieve all this while effectively combating payment fraud
At SEON Technologies we have released new information on the collection countries that are most and least at risk of cyberattacks. We have also taken a close look at the most common types of cybercrime occurring in the US.
Dubbed the Global Cybercrime Report, the report explains how several countries are the safest in the world from fraud and other cybercrime. and why others are not. Our methodology for this research was based on how companies and public infrastructure are all being fairly well protected through both legislation and technology at their disposal.