SCA Requirements: What Every Merchant Needs to Know

Another year…another delay for the full rollout of Strong Customer Authentication (SCA) requirements.

An opinion issued by the European Banking Authority (EBA) back in 2019 originally gave merchants until December 31, 2020, to complete implementation and testing for SCA compliance practices. This deadline was a delay of earlier cut-off points, but now, even that revised target date has been pushed back multiple times. This is likely owing to the unanticipated challenges resulting from COVID-19.

According to the most recent update as of this writing, the SCA rollout will continue through early 2022. This will be a staggered process, with merchants in some markets having regional- or national-specific deadlines. Others will also enjoy several months of gradual or partial enforcement before the rules are fully in effect.

SCA requirements only apply for transactions in which both the merchant and the cardholder are located in the EU. However, it may be only a matter of time before requirements modelled on SCA standards expand to other markets. With that in mind, it’s worth asking: how effective will these standards actually be at preventing fraud losses?

Ongoing Concerns About SCA Effectiveness

On one hand, Strong Customer Authentication requirements are projected to help defend consumers throughout the EU against more than one billion euros in annual losses resulting from online fraud. At the same time, preliminary data finds that the requirements may cause a substantial uptick in friction.

As outlined in a new whitepaper published by Fi911, SCA standards could be used to verify only 76% of browser-based transactions, and just 48% of app-based ones. Requirements also prompted 14% of browser-based shoppers to abandon a purchase; for app-based shoppers, the figure rose to one-quarter of shoppers.

Other concerns about SCA adoption persist as well. For example, there will be some confusion, at least at first, regarding liability and applicability in different regions. The same goes for different transaction types and product verticals, some of which will be exempt from SCA rules.

Finally, we should also keep in mind that not all fraud is a form of payment fraud. SCA requirements have no effect on tactics like friendly fraud, return fraud, and triangulation fraud.

Exemptions to SCA Requirements

As mentioned before, SCA only applies when both the merchant and the cardholder are located in a country in which SCA is legally mandated. So-called “one-leg” transactions are not required to deploy SCA. The added verification steps are also not required in the following cases:

  • Merchant-Initiated Transactions: After an initial purchase, any subsequent merchant-initiated transaction, like a rebill, is exempt.
  • Mail Order: There’s no way to reliably deploy SCA on mail order or telephone orders.
  • Prepaid Cards: Because prepaid cards are anonymous and disposable, there’s no way to employ SCA standards.
  • Low-Value Transactions: A purchase must be at least €30 for SCA to be a requirement.
  • Whitelisted Transactions: After an initial verification, cardholders can skip subsequent SCA verifications by whitelisting a merchant.
  • Virtual Card Transactions: Virtual cards, as well corporate cards not issued in the customer’s name, are exempt.

Another major opportunity for exemption is Transaction Risk Analysis, or TRA. This is a kind of real-time behavioural observation and analysis that looks at key fraud indicators and evaluates risk for each transaction based on known red flags. This can be done on the back end without increasing friction for buyers.

While that sounds great, it’s important to note that TRA is deployed at the institutional level. Whether a merchant can take advantage of it depends on the bank and their track record for fraud prevention. For example, let’s say one conducts a transaction that’s valued at less than €100. The bank would only be able to deploy TRA on that transaction if they’ve maintained a fraud rate of less than 0.13% of total transactions in the previous 90 days. The requirements are even stricter for higher transaction values.

Leveraging Technologies to Eliminate Friction

Transaction Risk Analysis is a great asset. However, we still have to note that some friction is unavoidable in the transaction process. The entire point of Strong Customer Authentication is to prevent fraud by introducing friction, which will inevitably impact—and deter—some legitimate buyers. So, what can be done?

The key is to accept that some friction is unavoidable, and learn how leverage friction to optimize the customer experience. We need to acknowledge that some points of resistance in the transaction process are genuinely helpful, in that they prevent fraud while having minimal impact on legitimate buyers. We have to distinguish these points from other, harmful points of friction that offer no real benefit.

Examples of friction points to avoid include:

  • Broken or dysfunctional web pages
  • Slow response times or unstable page loading
  • Unnecessary, redundant information fields during checkout
  • Confusing or misleading page content
  • Unexpected costs added to total at the end of the checkout process
  • Forcing customers to create an account before purchasing
  • Poor search functionality

All of these points could deter buyers, while offering no real benefit. In contrast, using a variety of backend fraud tools supported by fraud scoring, as well as optional account creation, can help authenticate buyers with no real impact on the customer experience. And yes, the same applies for using SCA augmented by TRA.

SCA will introduce a measure of resistance to the transaction process. The key is to offset that by eliminating unnecessary friction wherever possible. Merchants should work hand-in-hand with their processor to conduct an end-to-end examination of the customer experience. This will help identify harmful friction points, as well as opportunities for improvement.

SCA can be a valuable and helpful asset in the fight against fraud…but only if we leverage it effectively.

Digital & Social Articles on Business 2 Community

Author: David DeCorte

View full profile ›

(1)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.