Strong Customer Authentication, or SCA, is the Next Big Shakeup for Global Payments
UPDATE 5/21/21: The UK's Financial Conduct Authority announced in a statement on Thursday that they will delay the implementation of strong customer authentication rules by a further six months to minimise disruption to consumers and merchants. The new compliance deadline is set at 14 March 2022.
UPDATE 10/21/19: According to an opinion published by the European Banking Authority (EBA), eCommerce merchants have until December 31, 2020, to adopt strong customer authentication (SCA) protocols. The EBA acknowledges that SCA migration demands a consistent approach, and that eCommerce merchants would not be ready for the change in time.
Strong customer authentication, often abbreviated to SCA, is not simply a description of authentication standards. Under the Second Payment Services Directive (PSD2), SCA is now law.
SCA protocols were to take effect in the European market on September 14, 2019, and these rules have the potential to completely reshape how we conduct business online. Let’s examine what these new standards mean, and how merchants should respond.
What is Strong Customer Authentication?
Back in October 2015, the European Parliament adopted a new set of regulations for the payments industry. The focus of the Revised Payment Services Directive, or PSD2, governs how third-party services like Google or Facebook can take on roles previously restricted to banks. However, there were other provisions imposed by PSD2 as well.
Effective September 14, 2019, merchants need to abide by strong customer authentication standards when conducting an eCommerce transaction in the European market. In simple terms, the rule requires an extra layer of authentication during checkout. Limiting verification to card number, address, and CVV is no longer enough. Now, sellers are required to verify the buyer’s identity according to at least two of the following three factors:
- Possession: Something the user possesses, like a payment card.
- Knowledge: Something the user knows, like a 3-D Secure code attached to an account.
- Inherence: Something the user inherently is, like a fingerprint or other biometric impression.
For example, assume a customer wants to make an online purchase. As a merchant operating under SCA standards, you have a few options. You can try to verify that:
- The customer physically possesses the payment card with CVV verification.
- The customer knows the PIN or 3-D Secure passcode associated with the card.
- The customer can provide a biometric signature connected to the cardholder’s account.
You need to verify at least two of these three things to the satisfaction of the cardholder’s issuing bank. If you’re not able to verify a buyer according to those standards, there’s a good chance the issuer will simply decline the purchase.
Ramifications of SCA for Merchants
eCommerce sales in Western Europe are projected to grow at a 17.3% compound annual growth rate (CAGR) between 2018 and 2022. By that point, online sales on the continent will surpass $1 trillion annually. But unfortunately, as consumer spending increases, so does fraud.
SCA standards are designed to protect European consumers from billions in annual losses from attempted online fraud. While more security sounds great, there could be substantial negative ramifications, too. Namely: added friction.
Stop Fraud Without Losing Sales.
Separate reasonable, useful fraud mitigation tactics from harmful friction at checkout. Learn how today.
More friction during checkout goes hand-in-hand with reduced conversion. For example, when the Indian Government enacted a similar regulation back in 2014, some businesses reported an overnight conversion drop of more than 25%! Now transpose that to the European market, where a 25% drop in conversion would equate to a potential €150 billion economic loss…this year alone.
Even worse, many retailers remain completely unaware of the upheaval headed their way. Data published by Mastercard in December 2018 revealed that up to 75% of European merchants remain unaware of SCA and how they should prepare for it. More than half of those surveyed said they would either not be ready before the deadline, or “have zero plans to support” SCA standards.
We could be standing on the edge of an event that will redefine relations between merchants and customers in Europe. Despite that, both parties remain largely in the dark about what to expect…which doesn’t bode well. Without merchant and consumer education, we may see online conversion plummet after SCA takes effect.
Exemptions/Exclusions to SCA
It’s important to note that so-called “one-leg-out” transactions—those in which only one party is based in the EU—do not apply. A seller based in the US, for example, would not be subject to SCA rules imposed by the PSD2. This stands in contrast to other EU policies like the General Data Protection Regulation (GDPR), which applies even to one-leg-out situations.
Other exemptions and exclusions to SCA standards include:
Merchant-Initiated TransactionsTransactions initiated by a merchant, such as rebills under a subscription service, are not subject to the same SCA standards as the initial transaction.
Mail OrderMail- and telephone-order transactions are not included, as two-factor authentication is difficult to conduct effectively via phone or physical mail.
Low-Risk TransactionsTransactions that are both valued at less than €500, and which register as “low risk” in real time analysis, can be exempted (given issuer approval).
Low-Value TransactionsTransactions valued at less than €30 are exempt from SCA. This exemption is subject to a velocity limit of five consecutive transactions or €100 cumulatively before SCA is required again.
Whitelisted TransactionsAfter an SCA-verified purchase, consumers can opt to whitelist you, making successive SCA checks unnecessary. You must implement 3-D Secure 2.0 functionality to turn on whitelisting functionality.
Corporate/Virtual Card TransactionsBoth virtual payment cards, as well as corporate cards not issued in the cardholder’s name, are exempted from SCA standards.
Just a Matter of Time?
Unlike GDPR, strong customer authentication standards will only impact EU merchants…at least for now.
Other countries like Australia and Mexico are considering similar measures now. For example, Australia’s AusPayNet framework is developing SCA standards for that market, and SCA standards may be compulsory there before the end of 2019. Mexico, another major online market, is considering their own SCA standards, too.
It’s possible—at least in theory—that one of these markets could establish “one-leg-out” transactions as subject to the law. This would put US merchants in the position of choosing between complying with the standards, or losing buyers from outside of the country.
When one major market establishes a certain regulation, other markets typically follow. With GDPR, for example, the legislation ultimately led tech giants like Facebook to voluntarily comply as a means of appeasing consumers. Not long after, the California Consumer Privacy Act (CCPA) made many of the GDPR’s provisions law in the US market, too.
A market as big as the EU has a lot of sway. Thus, depending on future conditions, US lawmakers may take up the issue themselves soon.
The guiding principle behind strong customer authentication seems straightforward. Even simple verification guidelines are complicated by a lack of standardization, though.
National regulators, card networks, and issuing banks may interpret overarching regulation differently. We can look at chargeback practices and policies as an example of how stakeholders with different definitions and priorities can lead to mismatched policies. Each bank, card scheme, and locality can have their own set of rules and policies…which makes compliance a logistical nightmare.
If SCA comes to the US, we’ll need standardization. This entails universally-applicable standards for verifying user identities. Until then, merchants need to find their own way to navigate the terrain.
Develop Positive Friction
Here’s the truth: some level of friction is unavoidable with SCA. The entire idea is to create a measure of friction to deter fraudsters. Rather than resisting that friction, try redirecting it in a more positive direction.
There’s a difference between positive and negative friction. The latter slows down processes for no reason, driving a wedge between you and your buyer. The former creates a reasonable degree of friction that is hardly noticeable from the buyer’s perspective, but which goes a long way to stop fraud.
Examples of positive friction include:
- Verifying CVV at checkout
- Asking buyers to verify their order before finalizing
- Making account creation optional
- Requiring complex and unique passwords for all new accounts
- Offering 3-D Secure 2.0 for users who opt-in to the service
- Employing backend fraud tools (geolocation, IP verification, fraud scoring, etc.)
- Offering mobile payments with two-factor authentication
Strong customer authentication standards are not going away. Even if you’re not under SCA jurisdiction yet, it’s a good idea to start implementing necessary changes and adopting business best practices in preparation. When SCA standards do eventually come your way, you’ll already be well-ahead of the game.