The State of Strong Customer Authentication: Does it Help or Hinder Online Commerce?
Strong customer authentication, or SCA, is not simply a description of verification standards. Under the Revised Payment Services Directive (PSD2), these authentication standards are now legally mandated in the European market.
SCA protocols actually went into effect in 2019, but not all merchants jumped aboard initially. The UK's Financial Conduct Authority, for instance, extended the deadline for compliance through March of last year.
SCA regulations are now fully live and enforceable. But, how have SCA regulations shaped eCommerce for international merchants? What, if any, updates can we expect in the future? Let’s take a look.
Recommended reading
- Verified by Visa: How Much Protection Does It Really Offer?
- The Top 10 Fraud Detection Tools You Need to Have in 2024
- ECI Indicators: How to Understand 3DS Response Codes
- Proxy Piercing: How Merchants Can Use it to Prevent Fraud
- Card Verification Values: What Are CVVs & How Do They Work?
- Payment Authentication: How to Verify Buyers Before a Sale
What is Strong Customer Authentication?
Back in October 2015, the European Parliament adopted a new set of regulations for the payments industry, called the revised Payment Services Directive, or PSD2.
PSD2 was designed to govern how third-party services like Google or Facebook can operate in the European market. Another part of this directive, however, sets standards for how businesses should authenticate buyers.
In simple terms, the rule requires an extra layer of authentication during checkout for all transactions conducted in the European Union or the United Kingdom. Limiting verification to card number, billing address, and CVV is no longer enough. Merchants must now verify the buyer’s identity according to at least two of the following three factors:
At least two of these three items must be verified to the issuing bank’s satisfaction. Otherwise, the transaction will likely be declined.
How to Authenticate a Payment With SCA
In Europe, one of the most common forms of payment authentication occurs through 3D-Secure technology. This adds an additional layer of authentication to card-not-present (CNP) transactions.
To consumers, this extra step appears before or directly after checkout with a bank prompt requiring a one-time passcode (OTP) to finalize the transaction from their smartphone. That said, many merchants, processors, and other merchant service providers believe OTP requirements lead to false declines. There’s also a general belief that OTPs can cause increased friction and higher rates of cart abandonment.
To combat these issues, many merchants supplement 3DS authentication with biometric payments that can streamline OTP requirements and reduce friction.
With biometric payments enabled, customers simply have to enter a thumbprint or facial scan to complete the secondary authentication step. Mobile wallet applications like Apple Pay and Google Pay come standard with biometric authentication capabilities. These tools are already available to consumers in their mobile app stores.
In the end, though, a majority of online transactions are not required to satisfy SCA requirements. There are a number of exceptions to SCA requirements that let transactions go ahead without meeting these standards.
SCA Exemptions & Exclusions
Strong customer authentication regulations will not necessarily apply to every transaction. As of this writing, SCA only affects transactions where both the payer and the payee are located in the EU. If one party is outside the EU (called a “one-leg” transaction), then SCA won’t be required.
Also, there are a number of conditions that can make a transaction exempt from these requirements, including:
Payment service providers may also provide other tools to help merchants adjust to SCA. Some commonly cited offerings include rule-based fraud screening, exemption management, and delegation of exemption. Perhaps the most important of these, however, is transaction risk analysis.
What is Transaction Risk Analysis?
Transaction risk analysis (or TRA) is a process that monitors the behavior of different parties during a transaction. It is used to gauge risk invisibly and in real-time. This is intended to stop fraud without adding friction to the customer experience.
TRA analysis is the process of analyzing issuer and merchant risk scores (and other factors) concerning location, time, spending habits, and other behavioral patterns. If a transaction relays any information outside of the historical norm for these factors, an alert will be triggered, and further authentication will be required. Considering the number and complexity of the above exemptions, an additional safeguard was required.
Transaction risk analysis can only be used on orders valued at less than €500.
So-called “low-risk” transactions are also eligible for SCA exclusions or exemptions. Transactions that are valued at less than €500 and which register as “low risk” in real-time analysis can be exempted from SCA requirements.
It’s important to note, however, that TRA eligibility is based on the acquirer’s fraud rate, not the merchant's. Acquirers may only deploy TRA if they have an overall, generalized fraud rate below the following thresholds:
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions between €101 and €250
- 0.01% to exempt transactions between €251 and €500
Is SCA Working?
Well, yes and no.
With fraud rates constantly in flux, it’s difficult to pinpoint how much of an impact strong customer authentication has had on eCommerce in just one year. However, one company reported that SCA technology helped them achieve 2,000 fewer cases of fraud each month last year. Their research also showed that 68% of its customers are happy to enter a texted passcode in its banking app.
Despite these findings, many companies argue that SCA isn’t actually stopping fraudsters. Instead, they’re just switching tactics. For instance, if a fraudster moderates attacks to remain below the £30 protection limit, they may slide stolen credentials through additional checks without ever raising an alarm.
Card testing, for example, is a fast-growing problem for eCommerce brands. Payment processor Stripe reported in 2022 that they’d detected more than 20 million card testing attempts per day. Because the dollar threshold on these transactions is so low, strong customer authentication would not be applied.
Does SCA Cause More Friction?
The friction introduced by strong customer authentication is minimal, the process does, inevitably, create friction in the customer journey.
According to Nuapay, UK businesses saw payment decline rates increase by an average of 37% following the enforcement of SCA rules. Additional findings the company reported following strong customer authentication implementation include:
- 29% of respondents believe the regulations need to go further to prevent fraud.
- 33% said the regulations have a negative impact on the customer experience.
- Just 39% of respondents felt the regulations were fully fit for purpose.
It’s still too early to paint a full picture of the benefits and downsides of SCA. That said, customer awareness is one area which is emerging as an obvious candidate for improvement. In response to another recent survey, up to 47% of the consumers polled remain unaware of the recent regulation updates, and have no idea how to navigate them.
Banks and merchants can improve these statistics by increasing communication regarding payment changes in order to increase consumer awareness. After all, throwing additional steps at consumers without explanation is bound to exacerbate cart abandonment issues.
Future Predictions
At least for now, the European Union’s strong customer authentication standards only impact EU and UK merchants. As we mentioned above, transactions from other eCommerce merchants are defined as being "one-leg-out.” In other words, only one party is based in the EU, so the transaction is not subject to strong customer authentication mandates.
That means US-based eCommerce merchants can sell to EU markets without worrying about SCA compliance. We can’t necessarily count on this to remain the case forever, though.
The idea behind the SCA mandate is quickly spreading. Australia, Mexico, and Turkey, for example, are all either considering SCA policies, or already have them in place.
In the US, the major card networks are already promoting voluntary compliance with SCA standards. And, as we saw with the California Consumer Privacy Act, being physically based outside the jurisdiction of a law does not necessarily exempt one from compliance with it.
It seems likely that US lawmakers will take up the issue themselves soon. If— or when —the US decides to implement its own SCA policies, we’ll need to focus on standardized, universally-applicable protocols for verifying user identities. That is why it’s probably a good idea to start implementing necessary changes and adopting business best practices in preparation.
How Do You Ensure Strong Customer Authentication?
Like it or not, some level of friction is unavoidable with strong customer authentication. That said, it’s also important to distinguish harmful friction points from useful fraud prevention barriers. Rather than resisting all friction, try redirecting to more positive ends.
“Negative” friction slows down processes for little or no reason and thereby encourages cart abandonment. “Positive” friction points, in contrast, can be minimal or even unnoticeable from the buyer’s perspective, while delivering greatly increased fraud protection. Examples of positive friction include:
- Verifying CVV at checkout
- Asking buyers to confirm their order before finalizing
- Making account creation optional
- Requiring complex and unique passwords for all new accounts
- Offering 3-D Secure 2.0 for users who opt-in to the service
- Employing backend detection fraud tools (geolocation, fraud scoring, etc.)
- Offering mobile payments with two-factor authentication
If you’re a merchant, then some items on this list may already be part of your normal online checkout. If so, you’re already ahead of the game. That’s no reason to be complacent, though.
Have additional questions about SCA? Want to learn more about third-party fraud and other chargeback risk factors? Click below and speak to one of our experts today.
FAQs
What does ‘strong customer authentication required’ mean?
If a transaction requires strong customer authentication, that means it requires additional verification in order to be completed. This is required for all transactions completed in the EU or UK, unless the transaction meets a condition on a list of exemptions outlined in the revised Payment Services Direction (PSD2).
What are strong customer authentication principles?
Compliance with SCA means merchants must now verify buyers’ identities according to at least two of the following three factors: knowledge (something the buyer knows, like a PIN or password), possession (physical possession of a card), or inherence (fingerprint, facial recognition scan, etc.).
What is an example of strong customer authentication?
OTP, or one-time passcodes, are one example of strong authentication, as are two-factor authentications via emails or texts, or facial recognition scans.
What are the three 3 main types of authentication?
You must authenticate cardholders through either something they know, something they have, or via something they are (knowledge, possession, or inherence). These can include passcodes, physical card details, or fingerprints and facial scans.