SCA scenario in Europe
Anti-fraud regulation in Europe gave us the SCA or strong customer authentication. If you are a merchant in Europe, you very well know what this means. And, perhaps, you also know that it can be tricky to use it without creating more friction in your checkout process. But alternatives exist that allow merchants and card issuers to share more data between themselves, which builds more trust while speeding up the payment authentication process. Delegated authentication is an option that merchants should look at to make checkouts faster and reduce friction for customers. After all, no one wants unhappy customers.
How SCA works and how it impacts Customer Experience
SCA requires all online e-commerce payments to apply multi-factor authentication using two of three factors – a PIN or password, a card or phone, or a biometric (fingerprint/ iris) scan. Merchants collect this info from customers at checkout and pass it to the card-issuing bank to authenticate the transaction. The issuing bank uses a set of complex processes to verify if a transaction is legit or fraud. Sometimes, a bank might falsely decline a transaction, even if it is legit. This hampers the customer experience and turns away hard-earned customers. Data shows that average failure rates were nearly 30% in 2021 – meaning three out of ten transactions that applied SCA failed.
So, how do merchants balance SCA without turning away customers? Delegated authentication allows merchants to apply SCA and verify transactions in place of issuers and acquirers. Thus, merchants can meet all SCA norms while ensuring customers have the best checkout experience.
What is Delegated Authentication?
Usually, the card-issuing bank performs the authentication. But in the case of delegated authentication, the merchant directly authenticates the customer without redirecting to the issuer. This simplifies the payments process, leading to higher conversion rates. The merchant can perform the authentication themselves or outsource it to selected third parties. This means less friction and a better customer experience. More importantly, the merchant has greater control over how to perform SCA.
How can merchants perform delegated authentication?
Merchants have to be using 3D Secure 2.2 if they want to take up delegated authentication. 3DS2.2 allows merchants to optimize the CX by sending more data to the issuing bank. In a way, the merchant pre-qualifies a customer so that the issuing bank approves the payment easily. Thus, the issuing bank can shift the authentication process to the merchant or their chosen third parties based on transparency and trust. 3D Secure 2.2 lets merchants pre-screen their customers and classify them as low-risk. Future payments made by these customers do not have to go through SCA. Merchants can request TRA exemptions from an issuer based on the value and risk of such transactions. Thus, whitelisted low-risk transactions are approved easily, while high-risk transactions go through further checks.
What do merchants need to do for delegated authentication?
Merchants who wish to use delegated authentication must prepare their payment ecosystem to support 3DS 2.2. Update to the latest versions of 3DS 2.2. Minimize risk levels by using strong fraud protection and advanced payment systems. Banks have stringent criteria to decide whether a merchant should be allowed to perform delegated authentication or not. Only those merchants who can prove they have robust fraud prevention measures in place can perform delegated authentication.
However, banks nowadays are more willing to accept the assurance of trusted third parties (for example, an eminent fraud prevention provider) as sufficient to delegate authentication to a merchant. Hence, make your case for delegated authentication to issuer banks; try and become a trusted merchant. Earlier, e-commerce merchants had to seek individual approval from issuing banks in order to process their cards. Fortunately, card schemes like Visa and Mastercard are working to remove barriers to enable merchants to perform delegated authentication, acting as go-between banks and online retailers.
Importance of Fraud Protection in Delegated Authentication?
Merchants, or the third party acting on their behalf, bear the full liability for chargebacks when they sign up for delegated authentication. Hence, it is crucial to reduce your risk exposure with robust fraud protection solutions. If you want to process high-value transactions, the authentication you use must match the risk level of these transactions. A strong fraud solution will give you more confidence to process high-risk transactions and seek exemption requests when necessary. AI-based fraud management solutions can analyze each transaction in real-time and suggest the best course of action based on the risk profile. It will automatically direct each consumer to a checkout experience that is best suited to them so as to reduce risk and limit your liability exposure. Many fraud prevention solutions also offer liability guarantees, ensuring you do not lose any money – a true win-win.
How Can Novalnet Help?
Novalnet is a global PSP with deep experience in processing payments for the European industry. Many of Europe’s leading brands trust us with their payments. We can guide you on how to use SCA to make your payments more efficient.
Our technology helps you to accept payments globally in 125+ currencies in 150+ automated country-specific payment methods. Using our instant payment plug-ins, set up your payments within minutes with minimal coding. With our AI-based risk management solutions and advanced analytics, you can design the best payment experiences for your customers, all in a fully secure PCI DSS environment.
Reach out to us to know more about delegated authentication for your business.
Gowri Shankar is the IT Application Security Manager at Novalnet with versatile knowledge in Programming and System/Security architecture. Having 11+ years of experience in the financial services industry, Cybersecurity, Payment Card Industry Data Security Standard (PCI DSS). Certified in Advanced Payment Card Industry Security Implementer (CPISI 2.0), Secure Software Lifecycle Professional (CSSLP) from (ISC)².