Strong Customer Authentication (SCA)
Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. The European Commission has intervened by placing secure customer authentication (SCA) requirements on participants to reduce fraud as one of the core components of PSD2.
The new EU Payments Services Directive (PSD2) took effect in January 2018, and the deadline falls on 14 September 2019.
From the 14 September 2019, the expectation is for all ecommerce transactions to be processed via secured industry protocol such as 3D Secure.
Online transactions will need additional authentication (with some exemptions).
VISA and MasterCard will be mandating that the new version of 3D Secure (version 2.0) should be in place for issuers and acquirers by April 2019 in preparation for the mass adoption in September 2019.
And yes, this is applicable to you even if the UK ‘eventually’ leave the EU.
What is Strong Customer Authentication (SCA)?
PSD2 requires the use of two independent sources of validation by selecting a combination of two out of the three categories (commonly known as the ‘two-factor authentication’):
- something your customers know (e.g. PIN)
- something your customers have (e.g. card/phone)
- something your customers are (e.g. fingerprint)
This is applicable to transactions in the European Economic Area (EEA) only, where both payer and payee are in the region. By September, transactions that don’t have this two-step validation may be declined.
The application of 3D Secure (3DS) today is optional (3DS version 1). Merchants have the discretion to route a transaction through 3DS enabling a shift in liability where loss occurs. After September 2019, it is anticipated that a higher ratio (95%+) of transactions will require a step-up.
Why only applicable to 95%+ transactions?
Not all transactions will require additional authentication. PSD2 provides a number of exemptions to SCA, which could result in minimising friction and attrition in the customer payment journey. These are:
Low value exemption
Card transactions below €30 are considered low value and are generally exempt from authentication. However, if the customer initiates more than five consecutive low value payments or if the total payments value exceed €100, SCA will be required.
Recurring payment exemption
– e.g. subscription
Series of payments of the same value to the same merchant (such as subscriptions and membership fees) are exempt after the initial set up. The initial set up of the recurring payment will still require authentication, but all following transactions will be exempt.
Payments that are made periodically to the same payee, but where the value changes each time (e.g. a utility bill), will not benefit from the exemption.
(or trusted beneficiary)
Customers will have the option to ‘whitelist’ a merchant they trust. They can request to have the trusted merchant be added to his/ her record with the issuers after the first authentication is completed. Subsequent transactions with the whitelisted merchants are likely to be exempt from future authentication.
However, it is worth noting that issuers can still reject this request if the customer is thought to be a high fraud risk. They will be able to ignore the whitelist (maintained by the issuer on the behalf of the customer) to challenge and request an authentication.
Secured corporate payment exemption
When the transaction is initiated by a legal person (e.g. a business) rather than a consumer, and it is processed through a secured dedicated payment protocol, the Commission is satisfied that it does not require separate authentication, provided alternative controls are sufficiently secure. This should include ‘secure virtual payments’, such as virtual cards or B2B cards.
Low risk transaction exemption
(aka. TRA exemption)
This exemption has arguably the widest reach and usage. If a transaction, through a real-time risk assessment, is deemed to be low risk, an exemption could apply. However, it comes with the most complex set of conditions.
To make this work, merchants have to rely on a payment service provider (e.g. an acquirer) to act upon their request. In addition, the test to trigger the exemption rests with whether the PSP satisfies the prescribed conditions, not the merchants themselves. This means that, to an extent, a merchant’s ability to design and influence the payment experience is removed.
While exemptions are acquirer performance based, the issuer retains the final authorisation decision as they do today.
What can you be doing now?
The changes to 3D Secure (known as 3D Secure 2.0) will start to be introduced by merchant banks & acquirers in the spring & continue to be rolled out across the summer.
There are actions you can take today to pave the way for September 2019. We recommend that you consider how these SCA changes could impact your customer journeys and sales models. Depending on the design of the payment experience and operating model, SCA may have different implications to your business.
How will the user experience change?
We are currently waiting for payment acquirers (i.e. SagePay and WorldPay) to update us on that.