Why SCA for European E-commerce?
E-commerce in Europe continues to grow at a scorching rate, powered by mobile shopping and digital/ alternative payments. But this has also led to an alarming rise in fraud, causing regulators in Europe to frame tougher regulations to protect consumers and businesses from fraudulent activities. The revised PSD2 guidelines in Europe have made Strong Customer Authentication (SCA) mandatory, prompting a scramble amongst merchants, issuers, and acquirers to comply.
SCA requirements came into effect in Europe from 1 January 2021 and are now fully enforced in almost all eligible European countries. In the UK, the revised deadline is 14 March 2022. This has made it necessary for e-commerce merchants in Europe to start implementing SCA and support 3D Secure 2 authentication to avoid potential issues.
When is SCA Required?
Strong Customer Authentication is a 2-factor authentication process that verifies every transaction using at least two of three possible factors – a PIN or password, a card or phone, or a biometric (fingerprint/ iris) scan. The main goal of SCA is to reduce payment fraud while keeping the payment process as frictionless as possible.
SCA applies to customer-initiated payments, such as online card payments and bank transfers. However, specific low-risk payments are exempt or fall outside their scope. Out-of-scope payments include recurring payments, Mail order and telephone order payments (MOTO), and One leg out (OLO) payments where the merchant, acquirer, or issuer are based outside the European Economic Area (EEA).
Payments that are exempted under SCA include low-risk, low-value payments (below €30), and payments made to a trusted business where a customer can whitelist a merchant after the initial strong customer authentication, while all subsequent payments to that merchant will be exempt.
How Does 3D Secure 2 help in SCA?
As a business in Europe, using 3D Secure is the best way to comply with SCA requirements. 3D Secure is a security process that protects users from online card fraud by using 2-factor authentication.
3D Secure 2 is the latest version of 3D Secure, and it improves the checkout experience compared to earlier versions. 3DS 2 allows you to embed the authentication process in your checkout flow, thus making the user experience better. It uses a wider range of data elements (like customer’s shipping address, device ID, and payment history) and biometric authentication to allow for frictionless authentication, which means smoother and more secure payments.
When a customer makes purchases from a merchant, the merchant and the payment service provider send a wide range of data elements to the cardholder’s bank to verify the transaction. Based on the information shared, the cardholder’s bank can immediately authenticate the payment (frictionless flow) or ask for more information before authenticating the payment (challenge flow).
If the payment is successfully authenticated with 3DS 2, the liability for the payment is passed to the bank, protecting the merchant from fraudulent transactions. However, if a payment falls within the exemptions, the liability remains with the merchant.
SCA and False Declines
False declines are legitimate transaction attempts that are declined because of suspected fraud. They cost merchants in Europe over €20 billion in lost retail sales each year. False declines lead to frustrated and unhappy customers, causing them to abandon their purchases or switch to other competing merchants. Typically, 20% of failed transactions are false declines, even without applying SCA. But the 2-factor authentication required in SCA can add more friction for consumers, leading to false declines and cart abandonment.
Data indicates an increase in payment declines in Europe even as the industry moves towards adopting SCA. Therefore, merchants must do all they can to reduce declines and apply SCA and 3DS 2 in smarter ways.
3 Tips On How To Apply SCA and 3DS 2 the Right Way
To ensure that you apply SCA without increasing the number of false declines, you have to use 3DS 2 dynamically. Here are three tips on how you can do this.
1. Use 3DS 2 Dynamically (or only when required)
3DS 2 is the best way to meet SCA requirements because it supports frictionless authentication, but it can sometimes lower the authentication rate compared to 3DS1. Some transactions could be declined because the issuer bank does not enforce 3DS 2, or a card isn’t enrolled.
Hence to maximize conversion, you can configure Dynamic 3D Secure rules to determine which payments are sent for 3D Secure authentication and which are not. You can choose not to apply 3D Secure authentication unless the issuing bank requires it to complete the authorization. Don’t trigger 3D Secure for out-of-scope transactions, and request for an exemption whenever applicable.
In some cases, an issuing bank might decline legitimate transactions, which could ruin your customers’ experience and possibly lead to loss of revenue and users. It is recommended you use issuer-specific logic to proactively request authentication to avoid such payment declines.
2. Apply SCA based on country-specific rollouts
SCA rollout has been fragmented across Europe, with most countries having their own ramp schedules. Hence, a business operating across different markets will have to face a lot of operational complexity in dealing with country-specific authentication logic. Hence, request authentication only when required by PSD2 or by the cardholder’s bank, adjusting to each country’s enforcement timeline to minimize friction. Stay up to date on SCA rollouts across markets in Europe and invest in updating your payment systems.
3. Inform Your Customers About SCA
To ensure that your customers are on board with SCA requirements, you have to inform them about the use of 3DS 2 to reduce the risk of drop-offs. Educate your customers on how to whitelist your website with their card issuer. Work with your payment provider closely to test your solutions and analyze the impact. This will help you to fine-tune the user experience and prepare for eventualities.
Reassure your customers about your efforts to keep the checkout experience smooth and all transactions secure. Remember, sensitive communication is key.
How Can Novalnet Help?
Enabling SCA and 3D Secure 2 brings great benefits, both for shoppers as well as merchants. Novalnet can help you implement 3DS 2 or upgrade your existing versions. With our Payment APIs, hosted payment page, and instant plug-ins, you can accept payments easily while being fully compliant with the revised PSD2 guidelines. Our tailor-made risk management solutions use AI and machine learning to protect your business from any fraudster activity and design the best payment experiences for your customers, and all of it in a PCI DSS-compliant environment.
Gowri Shankar is the IT Application Security Manager at Novalnet with versatile knowledge in Programming and System/Security architecture. Having 11+ years of experience in the financial services industry, Cybersecurity, Payment Card Industry Data Security Standard (PCI DSS). Certified in Advanced Payment Card Industry Security Implementer (CPISI 2.0), Secure Software Lifecycle Professional (CSSLP) from (ISC)².