Strong customer authentication (SCA), a requirement of the EU's Revised Payment Services Directive (PSD2), is designed to improve online payment security and increase consumer confidence. It applies to most card-not-present payments, and requires issuers to authenticate their customers during certain payments using two-factor authentication.
SCA is an opportunity to provide your customers with an even smoother, more secure experience. Find out what you should consider when developing an authentication strategy for your unique business needs.
SCA applies to most card-not-present payments, and requires issuers to authenticate their customers during certain payments using two-factor authentication.
Some card-not-present transactions fall outside the scope of SCA. The main out-of-scope transaction types are:
Mail order / telephone order (MOTO)
Transactions in the MOTO channels are exempt.
Merchant-initiated transactions (MIT)
MIT transactions of both variable and fixed amounts, including subscriptions, are generally exempt. SCA only needs to be applied to the first in a series of recurring payments, initiated by the payer.
Transactions where either the issuer or acquirer is located outside the European Economic Area (EEA) are out of scope. SCA should still be applied on a “best efforts” basis.
Although SCA is a requirement for issuers, you can help ensure that your customers get the smoothest experience possible when authenticated. The payments industry wants SCA to be friction-free and is creating new processes and technologies to make that happen. But you and your customers can only benefit if you actively enable these innovations.
Think about your business goals
Decide what makes more sense for your wider business objectives: Doing the minimum to avoid declined transactions once SCA is applied? Or using SCA as an opportunity to offer a checkout experience that is both more secure and smooth? If it's the latter, you should consider adopting the latest SCA-related innovations.
The role of 3-D Secure (3DS)
The card payment industry widely accepts 3DS as the main authentication protocol. To help avoid issuer declines after SCA, merchants should support 3DS. Unlike earlier versions of 3DS, 3DS now allows for mobile-friendly authentication and innovations such as biometric verification. It also allows you to help issuers avoid unnecessary authentication challenges by informing them when a transaction is merchant-initiated or qualifies for an exemption.
The regulation is complemented by some exemptions—specific low-risk scenarios when SCA is not required. Exemptions aim to support a frictionless checkout. By taking advantage of these exemptions, you can reduce friction without increasing risk for your customers—a win-win scenario.
There are four main exemptions:
Low-value (below €30) transactions
Remote transactions up to €30 do not require SCA up to a maximum of five consecutive transactions or a cumulative limit of €100.
Under certain conditions, acquirers can perform real-time risk analysis on transactions and, if they assess the risk to be low, ask the issuer to forego SCA. Talk to your acquirer to understand your options. Issuers can also forego SCA based on their own risk analysis.
Under certain conditions, acquirers and issuers can perform real-time risk analysis on transactions and, if they assess the risk to be low, ask the issuer to forego SCA. Talk to your acquirer to understand your options.
Payments made through dedicated corporate processes and protocols (e.g. lodge cards, central travel accounts and virtual cards) which are initiated by business entities, not available to consumers, and which already offer high levels of protection from fraud, may be exempted from SCA.
Only the latest 3DS version of the protocol lets you request an applicable exemption. You'll need exemption optimisation capabilities: a way for your system to reliably identify when transactions qualify for an exemption, and then apply the correct 3DS flags.
Look out, too, for future opportunities to help customers use the trusted listing exemption.
Your overall approach and exemption requests will depend on the nature of your business, your customers' expectations and your business objectives. Contact us to discuss your needs and learn how we can help you develop the best strategy for your business.
Shifting fraud patterns usually call for shifts in focus—and sometimes new techniques—in fraud management. SCA will make fraudsters work harder, so it's likely that fraud teams will need to move beyond “blunt” approaches and basic tools to a more balanced and sophisticated approach. Have you considered what this might look like for your business?
Since SCA doesn't apply to all transactions, your only protection for out-of-scope and exempt transactions is to continue to screen them for evidence of fraud. In fact, fraudsters may focus on these transactions more than ever before.
Your acquirer can only apply the low-risk exemption, if their cumulative fraud rate remains below a specific threshold. They'll expect you to play your part with low fraud rates of your own, irrespective of whether you're ultimately liable for chargebacks. And card schemes will continue to require merchants to remain below scheme-specific fraud thresholds.
There's a reason why experts recommend multilayered, cross-channel fraud prevention and warn against relying too much on any single authentication or fraud screening method. Cybercriminals are not known for giving up easily, so while SCA is an important tool in the fight against fraud, it's no substitute for a strategy that combines SCA with active fraud screening.
For more information on SCA and why fraud screening remains vital, read our guide.
We know from experience that changes in purchasing and payment processes lead to shifts in fraud patterns. We can expect the same to happen once SCA is applied. We can't know for sure what changes we'll see as fraudsters adapt, but we can make educated predictions about how they'll exploit gaps in SCA coverage.
Read this article to gain insight about how fraudsters might try to work around SCA.
Is your fraud management strategy ready for SCA?
With SCA set to reshape the fraud landscape, now is a good time to adopt fraud management best practises. Contact us to discuss how we can help you develop a strategy for your unique business needs.