April 15, 2021

New Whitepaper Explores How SCA Rules Will Impact Merchants

by Tracy Cray, Head for Card Scheme Compliance at Chargebacks911 and Fi911

Authenticating buyers is a basic component of merchant risk management. With Strong Customer Authentication (SCA) standards now in place in the European market, merchants are expected to make it more of a priority than ever before.

The SCA rollout will continue through to late 2021, though that could change of course. The timeframe for compliance has already shifted multiple times across different markets on the continent. The rollout has been a staggered process, with some countries already expected to comply, while others have additional months of gradual enforcement.

These rules were introduced to the European market under the new Payment Services Directive (PSD2) protocol adopted several years ago. In the simplest terms possible, SCA standards require merchants to collect additional verification information for cardholders prior to completing a transaction. Now, merchants must verify buyers by at least two of the following three methods:

  • Possession: This is something the user physically possesses, like a credit card. If the user can verify the CVV on the back of the card, it is reasonable to presume the user possesses the card.
  • Knowledge: Something the user knows. A user might have a PIN code attached to the account in question, so verifying the PIN provides additional identity verification.
  • Inherence: Something the user inherently is. A biometric impression, like a fingerprint or facial scan, would fulfill this requirement.
These rules are meant to help protect consumers against more than one billion euros in annual losses resulting from online fraud. But, as we see in a new whitepaper published by Fi911, SCA requirements will have much broader effects than most of us first realised.

SCA: Problems and Potential Exemptions

Merchants have already raised concerns about increased friction during the checkout process due to SCA. That is a well-founded concern; as cited in the report, test data from Microsoft found that only 76% of browser-based transactions could be verified using SCA. For app-based purchases, the figure sinks to just 48%. Furthermore, SCA requirements prompted 14% of browser-based shoppers to abandon their purchases. With app-based shoppers, a quarter of potential buyers abandoned their carts.

Worrying as that may be, there are other roadblocks to consider. We are likely to see some confusion about SCA liability and applicability with different regions and transaction types to name just one. There is also the risk of complacency in other areas of fraud management; given that 60-80% of all chargebacks may be cases of friendly fraud, this is a mistake merchants cannot afford to make.

But with these considerations come a bounty of opportunities. With the right procedures, it should be possible to eliminate many of these concerns. First, we have to note exemptions to SCA the rules. If any of the following apply to a transaction, then the merchant is not required to deploy SCA:

  • Merchant-Initiated Transactions: SCA may be needed for an initial transaction. But, any subsequent merchant-initiated transactions, like rebills, are exempt afterward.
  • Mail Order: Transactions initiated by mail or telephone are exempt, as it would be too difficult to enforce SCA protocols through these channels.
  • Prepaid Card Transactions: Prepaid cards are anonymous. Therefore, SCA would not have any effect on these purchases.
  • "One-Leg" Transactions: SCA is part of EU legislation. As such, it is only required if both the payer and the payee are located within the EU's jurisdiction.
  • Low-Value Purchases: Merchants are not required to enforce SCA rules for transactions with a total value of less than €30.
  • Whitelisted Transactions: After one SCA-verified purchase, a consumer has the option to whitelist merchants. This allows them to bypass SCA requirements for subsequent purchases.
  • Corporate/Virtual Card Transactions: Buyers may skip SCA requirements if using a virtual payment card, or a corporate card not issued in the customer's name.

What About Transaction Risk Analysis (TRA)?

In addition to the exemptions outlined above, there's also Transaction Risk Analysis, or TRA. This could be a key asset for merchants; with TRA, we may be able to exempt most transactions from SCA requirements.

TRA refers to a process of real-time behavioural observation and analysis conducted during a transaction. TRA looks at key fraud indicators and evaluates risk for each individual transaction. This is done without increasing friction on customer experience.

This is a great asset, but it is not directly under the merchant's control. TRA is deployed at the institutional level and the merchant's ability to take advantage of it depends on the acquirer's track record regarding fraud prevention.

Let's assume that a merchant wants to take advantage of TRA on a transaction valued at less than €100. The merchant's acquirer would need to maintain a fraud rate of no greater than 13 bps (0.13% of total transactions) in the previous 90 days to deploy TRA on this transaction. The requirements are even more strict for higher-value transactions.

This underscores the importance of close collaboration between merchants and financial institutions to manage fraud. In fact, one's capability to deploy TRA may even factor into decision-making when securing processing and banking services.

Leverage Friction to the Merchant's Benefit

Transaction Risk Analysis is a great asset to help strike that delicate balance between security and friction. But, even then, we must acknowledge that some degree of transaction friction is unavoidable.

The purpose of Strong Customer Authentication is to deter fraudsters by introducing friction. However, some legitimate cardholders will still be turned away by the additional screening requirements. Rather than accepting the situation as is, though, merchants may be able to leverage friction more effectively to stop fraud while retaining customers.

Not all points of resistance in the transaction process are created equally. Some will slow down processes with no tangible benefit to the merchant or cardholder, while others serve as valuable roadblocks to deter fraud with minimal impact on customers. The key is to distinguish between "positive" and "negative" friction points, and learn how to build on the former, while eliminating the latter.

Broken or dysfunctional product pages, slow response time, unnecessary and redundant fields during checkout, confusing or misleading page content are all negative points of friction. They slow down sales and frustrate buyers, but offer no benefit. In contrast, asking buyers to verify orders before finalising is a positive friction point.

Backend fraud tools like geolocation, velocity limits, blocked lists, and fraud scoring are all positive friction points. The same goes for making account creation an optional process, but requiring complex passwords.

Collaboration is Key

Strong Customer Authentication will introduce more friction to the transaction process. That is something beyond a merchant's control. However, with the right tools and practices in place, merchants can ensure that SCA only comes into account when necessary, and that any slowdowns resulting from SCA are offset by optimization elsewhere.

Merchants should work hand-in-hand with their processor to perform an overview of the customer experience from end-to-end. This will help pinpoint friction points to eliminate, and also identify opportunities to improve processes. Only then can merchants really get the most out of these new SCA requirements.