The State of SCA Adoption Throughout Europe & How it Could Impact Your Bottom Line
SCA, or Strong Customer Authentication, is one of the most seismic changes in digital security over the last decade. Now that we have SCA protocols in place (at least for the most part), we should take a moment and examine how well the process is going so far.
First, let’s do a very brief overview of basic SCA requirements.
SCA is part of the Revised Payment Services Directive (or PSD2) adopted throughout the European Union. The main focus of this ruleset governs how third-party payment services can operate in the EU. However, part of this directive set standards for how businesses should authenticate buyers.
In simple terms, the rule requires an extra layer of authentication during checkout. Limiting verification to card number, address, and CVV is no longer enough; now, you have to verify the buyer’s identity according to at least two of the following three factors:
Something the user possesses, like a payment card.
Something the user knows, like a 3-D Secure code attached to an account.
Something the user inherently is, like a fingerprint or other biometric impression.
For example, assume a customer wants to make an online purchase. As a merchant operating under SCA standards, you have a few options. You can try to verify that:
- The customer physically possesses the payment card with CVV verification.
- The customer knows the PIN or 3-D Secure passcode associated with the card.
- The customer can provide a biometric signature connected to the cardholder’s account.
At least two of these three things must be verified to the issuing bank’s satisfaction. Otherwise, there’s a good chance the issuer will decline the purchase.
How is the SCA Rollout Going?
We can sum up the adoption of Strong Customer Authentication standards as a “mixed bag.” According to the SCA Scorecard published by Microsoft, outlining their tests with SCA in the European market, there are some concerning issues that still need to be addressed:
Authentication success rates are low: Microsoft was able to authenticate 76% of browser-based transactions using SCA. For app-based (mobile and gaming console) transactions, that figure dropped to 48%. Their experience suggests that SCA enforcement will introduce substantial friction into the process.
Authentication abandonment remains high: Customers abandoned 14% of browser-based transactions, and 25% of app-based transactions when asked to verify themselves according to SCA requirements. Clearly, customers are still uncomfortable providing the added verification requested.
Challenge rates remain high: Challenge rates for browser-based and app-based transactions sit at 72% and 73%, respectively. This suggests issuers have yet to optimize their decision process when it comes to SCA authentication.
Confused by SCA Standards and Other Parts of PSD2?
Trust the experts to help you navigate the maze of regulations. Click to learn more.
It’s also worth noting that SCA standards will have no significant impact on one of the leading sources of chargeback issuances: friendly fraud.
As cited in a new SCA whitepaper published by Fi911, global chargeback issuances will see a compound annual growth rate (CAGR) of 16.3% annually between 2018 and 2023. The majority of these cases will be instances of friendly fraud (61% in North America and 73% in Europe).
The conditions we outlined above will improve with time as everybody gets acclimated to SCA protocols. Friendly fraud is different, though, because it is post-transactional: the pre-transaction authentication required by SCA will have little impact on fraud that happens after the fact. And with friendly fraud set to represent a greater share of chargebacks over time, this problem will only get worse.
Exceptions to SCA Requirements
So, even though there’s no guarantee that Strong Customer Authentication standards will stop fraud, you’re still required to add this friction-causing step to every transaction? Not necessarily.
As of this writing, SCA applies to any transaction in which the payer and the payee are located in the EU. So, if one party is outside the EU, SCA wouldn’t be required. There are a number of other conditions that can make a transaction exempt from SCA requirements, too:
- Mail order or telephone order payments
- Transactions involving anonymous prepaid cards
- One-leg (payer or payee is based outside of the EU) transactions
- Merchant-Initiated Transactions (MITs), including recurring payments for the same amount to the same merchant
- Transactions below €30; except in cases when the total amount attempted without SCA exceeds €100
- Transactions involving a merchant whitelisted by the consumer
- Secure corporate payments
- Payments made with lodged cards and virtual card numbers
A transaction can also be exempted if it’s considered to be “low risk.” You can determine a transaction’s risk level using Transaction Risk Analysis (TRA).
TRA is a method of identifying fraud by observing the behavior of different parties during a transaction. It can be deployed in real-time to gauge the risk represented by a transaction, stopping fraud while remaining invisible to the customer and adding no friction to the customer journey. TRA is generally exercised at the bank level; we recommend reaching out to your acquirer to see if this is a possibility.
How Can You Make the Most of SCA?
On a more positive note, merchants are not alone in this process. Payment service providers say they will provide some functions to merchants to help with adjustment to SCA. The most commonly cited include:
- 3-D Secure
- Rule-Based Fraud Screening
- Transaction Risk Assessment (TRA)
- Exemption Management
- Delegation of Exemption
At the same time, it’s crucial that you educate yourself on all steps necessary to be ready to navigate SCA requirements. This includes outlier scenarios, how to rescreen orders, and how to optimize the customer experience to prevent unnecessary declines and cart abandonment.
It’s also important to distinguish harmful friction points from useful barriers to prevent fraud. The former slows down processes for no reason, driving a wedge between you and your buyer. The latter creates a reasonable degree of friction—hardly noticeable from the buyer’s perspective—which can greatly increase fraud protection. Examples of this so-called “positive” friction include:
- Verifying CVV at checkout
- Asking buyers to verify their order before finalizing
- Making account creation optional
- Requiring complex and unique passwords for all new accounts
- Offering 3-D Secure 2.0 for users who opt-in to the service
- Employing backend fraud tools (geolocation, IP verification, fraud scoring, etc.)
- Offering mobile payments with two-factor authentication
In this post, we learned how merchants and financial institutions are faring amid the ongoing SCA rollout process. We identified some problem areas with SCA, as well as situations in which you’d be exempt from requiring additional verification under SCA rules. Finally, we looked briefly at what you can do to help stop bad declines and prevent customers from abandoning purchases.
Have additional questions about SCA? Want to learn more about friendly fraud and other chargeback risk factors? Click below and speak to one of our experts today.