New Whitepaper Explores How SCA Rules Will Impact Merchants
The SCA rollout will continue through to late 2021, though that could change of course. The timeframe for compliance has already shifted multiple times across different markets on the continent. The rollout has been a staggered process, with some countries already expected to comply, while others have additional months of gradual enforcement.
These rules were introduced to the European market under the new Payment Services Directive (PSD2) protocol adopted several years ago. In the simplest terms possible, SCA standards require merchants to collect additional verification information for cardholders prior to completing a transaction. Now, merchants must verify buyers by at least two of the following three methods:
- Possession: This is something the user physically possesses, like a credit card. If the user can verify the CVV on the back of the card, it is reasonable to presume the user possesses the card.
- Knowledge: Something the user knows. A user might have a PIN code attached to the account in question, so verifying the PIN provides additional identity verification.
- Inherence: Something the user inherently is. A biometric impression, like a fingerprint or facial scan, would fulfill this requirement.
SCA: Problems and Potential ExemptionsMerchants have already raised concerns about increased friction during the checkout process due to SCA. That is a well-founded concern; as cited in the report, test data from Microsoft found that only 76% of browser-based transactions could be verified using SCA. For app-based purchases, the figure sinks to just 48%. Furthermore, SCA requirements prompted 14% of browser-based shoppers to abandon their purchases. With app-based shoppers, a quarter of potential buyers abandoned their carts.
Worrying as that may be, there are other roadblocks to consider. We are likely to see some confusion about SCA liability and applicability with different regions and transaction types to name just one. There is also the risk of complacency in other areas of fraud management; given that 60-80% of all chargebacks may be cases of friendly fraud, this is a mistake merchants cannot afford to make.
But with these considerations come a bounty of opportunities. With the right procedures, it should be possible to eliminate many of these concerns. First, we have to note exemptions to SCA the rules. If any of the following apply to a transaction, then the merchant is not required to deploy SCA:
- Merchant-Initiated Transactions: SCA may be needed for an initial transaction. But, any subsequent merchant-initiated transactions, like rebills, are exempt afterward.
- Mail Order: Transactions initiated by mail or telephone are exempt, as it would be too difficult to enforce SCA protocols through these channels.
- Prepaid Card Transactions: Prepaid cards are anonymous. Therefore, SCA would not have any effect on these purchases.
- "One-Leg" Transactions: SCA is part of EU legislation. As such, it is only required if both the payer and the payee are located within the EU's jurisdiction.
- Low-Value Purchases: Merchants are not required to enforce SCA rules for transactions with a total value of less than €30.
- Whitelisted Transactions: After one SCA-verified purchase, a consumer has the option to whitelist merchants. This allows them to bypass SCA requirements for subsequent purchases.
- Corporate/Virtual Card Transactions: Buyers may skip SCA requirements if using a virtual payment card, or a corporate card not issued in the customer's name.
What About Transaction Risk Analysis (TRA)?In addition to the exemptions outlined above, there's also Transaction Risk Analysis, or TRA. This could be a key asset for merchants; with TRA, we may be able to exempt most transactions from SCA requirements.
TRA refers to a process of real-time behavioural observation and analysis conducted during a transaction. TRA looks at key fraud indicators and evaluates risk for each individual transaction. This is done without increasing friction on customer experience.
This is a great asset, but it is not directly under the merchant's control. TRA is deployed at the institutional level and the merchant's ability to take advantage of it depends on the acquirer's track record regarding fraud prevention.
Let's assume that a merchant wants to take advantage of TRA on a transaction valued at less than €100. The merchant's acquirer would need to maintain a fraud rate of no greater than 13 bps (0.13% of total transactions) in the previous 90 days to deploy TRA on this transaction. The requirements are even more strict for higher-value transactions.
This underscores the importance of close collaboration between merchants and financial institutions to manage fraud. In fact, one's capability to deploy TRA may even factor into decision-making when securing processing and banking services.
Leverage Friction to the Merchant's BenefitTransaction Risk Analysis is a great asset to help strike that delicate balance between security and friction. But, even then, we must acknowledge that some degree of transaction friction is unavoidable.
The purpose of Strong Customer Authentication is to deter fraudsters by introducing friction. However, some legitimate cardholders will still be turned away by the additional screening requirements. Rather than accepting the situation as is, though, merchants may be able to leverage friction more effectively to stop fraud while retaining customers.
Not all points of resistance in the transaction process are created equally. Some will slow down processes with no tangible benefit to the merchant or cardholder, while others serve as valuable roadblocks to deter fraud with minimal impact on customers. The key is to distinguish between "positive" and "negative" friction points, and learn how to build on the former, while eliminating the latter.
Broken or dysfunctional product pages, slow response time, unnecessary and redundant fields during checkout, confusing or misleading page content are all negative points of friction. They slow down sales and frustrate buyers, but offer no benefit. In contrast, asking buyers to verify orders before finalising is a positive friction point.
Backend fraud tools like geolocation, velocity limits, blocked lists, and fraud scoring are all positive friction points. The same goes for making account creation an optional process, but requiring complex passwords.
Collaboration is KeyStrong Customer Authentication will introduce more friction to the transaction process. That is something beyond a merchant's control. However, with the right tools and practices in place, merchants can ensure that SCA only comes into account when necessary, and that any slowdowns resulting from SCA are offset by optimization elsewhere.
Merchants should work hand-in-hand with their processor to perform an overview of the customer experience from end-to-end. This will help pinpoint friction points to eliminate, and also identify opportunities to improve processes. Only then can merchants really get the most out of these new SCA requirements.
There are no related Events
One size does not fit all. That's the same when we talk about SCA from a merchant perspective. Shoppers are different and each transaction is unique from a security standpoint. In this session we will discuss the outcomes of applying SCA in a selective & optimized way to boost conversion, while minimizing fraud exposure.
Hear from the FIDO Alliance and its stakeholders to get a deep-dive into the topic of passwordless authentication. Hear how major merchants and online service providers are actively collaborating on making web logins more secure and usable for all consumers. We will discuss challenges with legacy approaches; the move away from passwords; and new technologies that are emerging to support this. We will look at this in the context of consumer preferences and regulations.
This session will delve into the real impact of identity-based attacks, drawing from ITRC's work providing assistance to victims of identity compromise, and ITRC’s published research reports. It will cover insights on the latest data breaches that fuel identity fraud, and attack trends across ecommerce, social media, online dating, etc. The session will explore how bad actors circumvent multi-factor authentication to gain access to accounts and conduct malicious scams.
There are no related Surveys
With the upcoming 3DS1 decommission planned in Oct’22, it’s important for merchants to plan their authentication strategy to not just process EMV 3DS transactions but optimize the entire payment experience.
To find out, join Gautam Pande – Director, Product Management, Identity Solutions at Mastercard to provide key considerations ahead of the 3DS1 Decommission & share updates of the Identity Check platform to enable seamless digital commerce
- Find out what to expect after the decommission date
- Be able to understand key changes in EMV 3DS 2.2
- Understand Mastercard’s Smart Authentication Platform
- Preview the Identity Check Express and the customer journey
This webinar examines four key SCA principles for the sector as well as payment flows where SCA applies, then discusses options for indirect bookings/indirect sales. After sharing a brief overview of the Secure Corporate Payment exemption, tips and resources are provided to help merchants, travel agents, acquirers, and issuers. A brief Q&A period concludes the broadcast.
Better fraud prevention, all around.
Many organizations rely on two-factor authentication (2FA) using one‑time passcodes (OTPs) sent by Short Message Service (SMS) to authenticate banking and ecommerce transactions. 2FA performed this way can be fast and easy, but SMS wasn’t designed to be a security tool.
Learn how your organization can leverage voice biometrics to protect customers and your brand by building the highest levels of protection, trust and loyalty.
In Nethone's Frictionless white paper, you will learn:
- How to reduce checkout friction to maximise your revenue?
- How to manage UX friction associated with PSD2/SCA?
- How to prepare for Transaction Risk Analysis (TRA)
- How to keep your customers happy
- How to achieve all this while effectively combating payment fraud
At SEON Technologies we have released new information on the collection countries that are most and least at risk of cyberattacks. We have also taken a close look at the most common types of cybercrime occurring in the US.
Dubbed the Global Cybercrime Report, the report explains how several countries are the safest in the world from fraud and other cybercrime. and why others are not. Our methodology for this research was based on how companies and public infrastructure are all being fairly well protected through both legislation and technology at their disposal.