Strong Customer Authentication (SCA) – Impact on Online Merchants

The details around the European Banking Authority (EBA’s) proposal for Strong Customer Authentication (SCA) are final and the requirements for SCA are expected to come into force by February 2019.

What is SCA and what will it mean for online merchants? Will it impact conversion? Do merchants need to do anything to prepare for SCA?

This article discusses the requirements around SCA from an online merchant’s point of view. The article summarises the key areas and actions around which online merchants should begin preparation.

What is Strong Customer Authentication (SCA)

SCA is part of an EU regulatory initiative to reduce fraud on electronic payment transactions. SCA achieves this by ensuring an appropriate level of authentication of the payer at the time of making the transaction.

How does SCA require the payer to be authenticated?

SCA requires that at least 2 out of the following 3 elements is used in authenticating the payer:

 – Something the payer knows: e.g. password

– Something the payer has: e.g. randomly generated PIN on a security device or a PIN via SMS to the payer’s mobile phone

– Something the payer is: e.g. biometric identification like fingerprints or iris scans

Will SCA cover all types of payment methods used by online merchants?

Yes, the objective of SCA is to reduce fraud on all types of payments, including credit cards, debit cards, online banking payment methods, e-wallets etc.

Who is responsible for authenticating the payer?

The responsibility rests with the acquirer / payment service provider of the merchant being paid (payee) and the issuer / payment service provider of the payment instrument. It is expected that the merchant’s PSP will initiate SCA however if they do not then the consumer’s PSP can still insist upon it.

Does an online merchant have to do anything to prepare for SCA?

The requirements for SCA should be handled by PSPs and Banks. As PSPs and Banks begin to incorporate the requirements in their offerings they should contact merchants to inform them of the coming changes. Depending on how PSPs choose to implement SCA, merchants may need to make changes to their contracts and technical integrations with their PSP.

I use 3D secure, does that not already satisfy the requirements around SCA?

Some implementations of 3D secure that involve a password and some form of token satisfy the requirements around SCA. However there are many implementations of 3D secure that require only passwords, these are not compliant with the new SCA requirements.

Also, 3D secure can not be applied to mobile in-app payments.

The card schemes (Visa, MasterCard) are working towards a new version of 3D secure that will be SCA compliant.

Even then 3D secure only covers credit cards, the requirements for SCA are for an appropriate level of authentication on all payment transactions.

Will forcing authentication not impact conversion at the payment page?

Yes, forcing authentication on the payment page is expected to have an impact on conversion. However this impact on conversion is expected to be balanced out by a reduction in fraud.

The EBA also offers a number of important exceptions under which authentication will not be required. These exceptions are further expected to help with conversion.

What are some of the main exceptions for SCA when applied to online merchants?

The main exceptions where SCA will not be required for online merchants are:

Small value transactions – transactions under EUR 30 will not require SCA. However after either 5 below EUR 30 transactions or a cumulative total of EUR 100 from the same payer to payee the next transaction will need SCA.

Where the payer is not initiating the transaction – for example recurring payments where the payee is initiating the transaction will be exempt from SCA, also direct debits by definition will be exempt.

Where the payee is trusted by the payer – this effectively means that card on file and one click payments will continue to be allowed without the need for SCA at each payment.

Where either the acquirer is not in the EEA or the payment instrument is not issued in the EEA – this means that some merchants concerned more about conversion impact than fraud might choose to work with non EEA acquirers.

Transaction Risk Analysis – the SCA rules allows acquirers and issuers to perform their own risk assessment on a transaction and choose to not apply SCA if they feel confident that the transaction is not fraudulent.

However the acquirer / issuer must stay below a regulator defined fraud limit to be able to enjoy this flexibility. If their fraud levels rise then they will be forced to perform SCA.

This means that merchants are likely to migrate to low risk and larger acquirers whose lower fraud levels will mean the acquirer will have more flexibility to not apply SCA.

What is expected to be the overall impact for online merchants?

Firstly let’s take a look at the positive impact, it’s believed that approximately $16bn was lost just to card fraud globally in 2016. The SCA aims to reduce this loss. Reduction in fraud will give consumers more confidence to transact online and should mean that e-commerce growth can continue without friction from fraud.

Merchants already using 3D secure and transacting predominantly in cards should not see any major impact. The 3D secure protocols will be modified to incorporate the SCA requirements.

Fraud which used to be monitored and regulated primarily by the payment schemes will now be monitored by the financial regulators that license PSPs and acquirers. This will give space for the emergence of new and innovative methods of payment to challenge cards with the re-assurance that these methods will not be encumbered by high levels of fraud.

Merchants transacting primarily in smaller value transactions, below EUR 30 will see little impact.

Merchants using card on file will only see an impact on the initial conversion transaction. This should see card on file and tokenisation become an almost essential and universal offering from PSPs.

Merchants working with acquirers that have higher risk merchants on their books may find value in switching to acquirers with a better blend of higher and lower risk transactions. These acquirers with lower fraud levels will have more flexibility through their lower fraud levels to not mandate SCA and so keep the conversion process friction free.

Non European domiciled merchants with substantial EU consumer traffic who set up entities in Europe purely to be able to work with a European acquirer may want to weigh any advantage offered to them by this European acquirer against the demands that will be placed by SCA.

Merchants originating in the EEA with entities outside of the EEA may want to consider internal re-organisations to be able to transact via their non EEA entity and a non EEA acquirer. The work and change required to do this should be balanced against the benefit that might be gained by being able to circumvent the SCA requirements.

What will be the impact for PSPs and Acquirers and what should they do to prepare for SCA?

First of all a clear and active communication policy towards merchants is essential. Inform existing and prospective merchants of the impending changes and what is being done to prepare for them. Reassure them that their business is important and describe how everything will be done to ensure that any impact on the merchant’s conversion is minimised.

Create a strategy and plan for being compliant with SCA. This will require cooperation and teamwork across all departments within an Acquirer / PSP. We recommend setting up a separate task force or Program reporting to the Board to ensure that everything is planned out correctly and more importantly gets done in parallel to the business running as usual.

Beef up transaction risk analysis capabilities. PSPs and Acquirers who have relied on 3D secure to keep fraud levels low and do not have either in house or outsourced risk and fraud management capabilities will need to invest quickly in setting these up. The quality of these risk management capabilities will determine the extent to which the PSP and Acquirer will need to force the application of SCA. Merchants are likely to move to those PSPs that can keep application of SCA to a minimum.

PSPs and Acquirers servicing high risk and high fraud merchants will need to weigh the higher margins earned from these merchants for the risk they carry with the impact that the resulting high levels of fraud will have on their need to apply SCA.

Global PSPs with European acquiring may want to consider setting up non EEA acquiring licenses and migrate their high risk and fraud business to these non EEA licenses.

Conclusion

SCA is a bold, forward thinking and far reaching initiative that will bring the responsibility for regulating e-commerce fraud to the regulators of payment and financial institutions.

It should see a reduction in fraud on EEA issued and acquired transactions which should allow electronic transactions in Europe to continue to grow without friction from fraud.

The initiative should also promote the creation of new and innovative schemes and methods of payment which can rely on an existing framework of regulation that ensures fraud is kept to a minimum.