Strong Customer Authentication: What You Need to Know About SCA in 2021
Strong customer authentication, or SCA, is not simply a description of verification standards. Under the Revised Payment Services Directive (PSD2), SCA is now a law in the European market.
SCA protocols actually went into effect in 2019, but not all merchants are using them yet. The UK's Financial Conduct Authority (FCA) extended the deadline for compliance. eCommerce merchants now have until March of 2022 to become fully compliant with the new regulations.
In extending the deadline, the FCA is acknowledging the magnitude of the SCA mandates. These rules have the potential to completely reshape how eCommerce is conducted. So, let’s examine what the new standards mean, and how you, as a merchant, should respond.
What Is Strong Customer Authentication?
Back in October 2015, the European Parliament adopted a new set of regulations for the payments industry. PSD2 was designed to govern how third-party services like Google or Facebook can operate in the European market. Another part of this directive, however, set standards for how businesses should authenticate buyers.
In simple terms, the rule requires an extra layer of authentication during checkout for all transactions conducted in the European Union or the United Kingdom. Limiting verification to card number, address, and CVV is no longer enough. You must now verify the buyer’s identity according to at least two of the following three factors:
- Possession: Something the user possesses, like a physical payment card.
- Knowledge: Something the user knows, like a 3-D Secure code attached to an account.
- Inherence: Something the user inherently is, like a fingerprint or other biometric impression.
At least two of these three items must be verified to the issuing bank’s satisfaction. Otherwise, there’s a good chance the transaction will be declined.
What Does SCA Mean for Merchants?
Strong Customer Authentication standards are designed to protect European consumers from attempted online fraud. This could potentially prevent billions of euros in annual losses. To date, however, adoption of the regulations could be best described as a mixed bag.
The SCA Scorecard published by Microsoft outlined the company’s tests with SCA in the European market. The report found some concerning issues that still need to be addressed:
Authentication success rates are low
Microsoft was able to authenticate 76% of browser-based transactions using SCA. For mobile and app-based transactions, that figure dropped to 48%. This suggests that SCA enforcement is introducing substantial friction to the process.
Authentication abandonment remains high
Customers abandoned 14% of browser-based transactions, and 25% of app-based transactions, when asked to verify themselves according to SCA requirements. Clearly, customers are still uncomfortable providing the added verification.
Challenge rates remain high
Challenge rates for browser-based and app-based transactions sit at 72% and 73%, respectively. This could mean issuers have yet to optimize their decision process when it comes to SCA authentication.
Additional security for card-not-present (CNP) purchases is increasingly important, particularly for eCommerce merchants. The benefits of SCA, however, appear to be at least partially negated by the added friction.
Confused by SCA Standards and Other Parts of PSD2?
Our experts help you navigate the maze of regulations. Click to learn more.
More friction during checkout goes hand-in-hand with reduced conversion. For example, when the Indian Government enacted a similar regulation back in 2014, some businesses reported an overnight conversion drop of more than 25%. In today’s European market, a 25% drop in conversion would equate to a potential €150 billion economic loss in just one year.
With those kinds of statistics, it’s not completely surprising that merchants are resistant to the change. More than half of merchants surveyed in a 2018 Mastercard release said they would not be fully compliant before the deadline. Of those, many said they had “zero plans to support” SCA standards.
The situation will undoubtedly improve as more merchants and consumers become acclimated to SCA protocols. Still, it’s worth noting that even 100% compliance would have no significant effect on one of the leading sources of chargeback issuances: friendly fraud.
Friendly fraud is a post-transactional threat source. Thus, the pre-transaction authentication required by SCA will have little, or no impact.
One whitepaper published by Fi911 found that global chargeback issuances will see a compound annual growth rate of 16.3% annually between 2018 and 2023. The majority of these cases will be instances of friendly fraud (61% in North America and 73% in Europe).
Exemptions and Exclusions to SCA
Strong customer authentication regulations will not necessarily apply to every transaction. As of this writing, SCA only affects transactions where both the payer and the payee are located in the EU. If one party is outside the EU (called a “one-leg” transaction), then SCA won’t be required.
There are a number of other conditions that can make a transaction exempt from these requirements, including:
- Merchant-Initiated Transactions: Transactions initiated by a merchant, such as rebills under a subscription service, are not subject to the same SCA standards as the initial transaction.
Mail Order: Mail- and telephone-order transactions are not included, as two-factor authentication is difficult to conduct effectively via phone or physical mail.
- Low-Risk Transactions:Transactions that are both valued at less than €500, and which register as “low risk” in real time analysis, can be exempted (given issuer approval).
- Low-Value Transactions: Transactions valued at less than €30 are exempt from SCA. This exemption is subject to a velocity limit of five consecutive transactions or €100 cumulatively before SCA is required again.
- Whitelisted Transactions: After an SCA-verified purchase, consumers can opt to whitelist you, making successive SCA checks unnecessary. You must implement 3-D Secure 2.0 to use this functionality.
- Corporate/Virtual Card Transactions: Virtual payment cards, as well as corporate cards not issued in the cardholder’s name, are both exempted from SCA standards.
A transaction can also be exempted if it’s considered “low risk.” Transaction Risk Analysis is a tool that monitors the behavior of different parties during a transaction. It is used to gauge risk invisibly and in real-time. This lets you stop fraud while adding no friction to the customer experience. We recommend reaching out to your acquirer to learn more.
The 2021 Chargeback Field Report
The 2021 Chargeback Field Report is now available. Based on a survey of over 400 US and UK merchants, the report presents a comprehensive, cross-vertical look at the current state of chargebacks and chargeback management.Free Download
Payment service providers have also provided other tools to help merchants adjust to SCA. The most commonly cited include:
- 3-D Secure
- Rule-Based Fraud Screening
- Transaction Risk Assessment (TRA)
- Exemption Management
- Delegation of Exemption
Just a Matter of Time?
At least for now, the European Union’s strong customer authentication standards only impact EU merchants. Transactions from other eCommerce merchants are defined as being "one-leg-out.” In other words, only one party is based in the EU, and therefore the transaction is not subject to SCA mandates.
That means US-based eCommerce merchants can sell to EU markets without worrying about SCA compliance. You can’t necessarily count on this to remain the case forever, though.
The idea behind the SCA mandate is quickly spreading. Australia, Mexico, and Turkey, for example, are all either considering SCA policies, or already have them in place. Even in the US, the major card networks are already promoting voluntary compliance with SCA standards.
It seems likely that US lawmakers will take up the issue themselves soon. If—or when—the US decides to implement its own SCA policies, we’ll need to focus on standardized, universally-applicable protocols for verifying user identities.
Until that time, however, it’s probably a good idea to start implementing necessary changes and adopting business best practices in preparation.
How Can You Make the Most of SCA?
Like it or not, some level of friction is unavoidable with strong customer authentication. That said, it’s also important to distinguish harmful friction points from useful fraud prevention barriers. Rather than resisting all friction, try redirecting to more positive ends.
“Negative” friction slows down processes for little or no reason, and thereby encourages cart abandonment. “Positive” friction points, in contrast, can be minimal or even unnoticeable from the buyer’s perspective, while delivering greatly increased fraud protection. Examples of positive friction include:
- Verifying CVV at checkout
- Asking buyers to confirm their order before finalizing
- Making account creation optional
- Requiring complex and unique passwords for all new accounts
- Offering 3-D Secure 2.0 for users who opt-in to the service
- Employing backend fraud tools (geolocation, IP verification, fraud scoring, etc.)
- Offering mobile payments with two-factor authentication
Some items on this list may already be part of your normal online checkout. If so, you’re already ahead of the game.
Have additional questions about SCA? Want to learn more about friendly fraud and other chargeback risk factors? Click below and speak to one of our experts today.
What does SCA mean?
SCA refers to strong customer authentication, a mandate of the European Union and United Kingdom that states that payment car transactions must be verified by two of three authentication factors.
Is strong customer authentication actually the law?
Yes. As of 2019, SCA is required by law in the EU and in the UK. However, merchants have until March 14, 2022 to make sure their business is fully compliant.
When did strong customer authentication come into effect?
SCA requirements vary from one EU member state to the next. However, March 14, 2022, marks the final deadline for full compliance in every effective nation.
When is strong customer authentication required? Does it apply to all sales?
SCA is required for some sales within the EU and UK. The law currently does not apply to transactions where one of the participants is based outside the EU, though. There are other exceptions that apply as well based on the circumstances of the transaction.
Will the US ever implement SCA requirements?
Indicators suggest it is likely—if not inevitable—that the US will eventually adopt a strong customer authentication policy of some kind. Other counties around the world are already implementing similar mandates.