A new payment regulation, Strong Customer Authentication (SCA), will soon be mandatory in the UK. In March 2022 this once-in-a-generation change will come into force for UK retailers, and bring with it the potential to massively disrupt an enterprise or to push an enterprise ahead.
SCA will undoubtedly be a vital pillar of protection for merchants and consumers alike, however there is more to fraud and more to fraud protection than simply deploying an SCA solution. It is not, as some have mistakenly assumed, the only fraud solution a merchant will ever need.
European retailers have faced historic fraud pressure levels at a time when the payments landscape is undergoing upheaval due to the enforcement of PSD2’s Strong Customer Authentication (SCA) requirement. The addition of SCA’s robust two-factor authentication process has already been rolled out across much of Europe. But one only needs to look to the European countries where enforcement has begun in order to understand the limits of SCA’s fraud protection.
Many transactions are not subject to SCA, and whilst this is a saving grace for merchants who are worried about online customer experience, it means they will still be vulnerable to fraudsters who will inevitably target the transactions which are exempt from this added SCA layer. Merchants should also consider the fact that a low-fraud rate will be vital for providing a top-notch customer experience once SCA is enforced, and this is only possible by ensuring they have the most robust defenses in place.
SCA promises to better protect consumers by routing many transactions through 3D Secure and requiring two-factor authentication that calls for a shopper’s identity to be confirmed through two of the following:
Of course, there is nothing stopping fraudsters from attacking transactions protected by 3D Secure alone — and they do. The security protocol does shift liability from the merchant to its bank, but if a bank is hit by fraud often enough, it will protect itself by declining more orders.
That’s SCA in simple terms but the wonder of the regulation lies in the detail. And on closer inspection of what SCA stipulates, it is clear that a robust fraud protection solution will be the bedrock of a merchant’s successful SCA strategy because:
Let’s start with exemptions, as they are the key to providing a seamless SCA experience for online customers. Exemptions allow orders to be approved without undergoing SCA based on the notion that the transaction isn’t very risky or wouldn’t be very costly if things go wrong.
Skipping SCA is a highly desirable outcome as stricter authentication measures have the potential to disrupt the customer’s online checkout experience. Featured in the latest CMSPI report into the impact of SCA in Europe, testing shows 29% percent of SCA transactions are abandoned. This could be because they are declined, because of technical errors or because the customers simply got too frustrated with the added security layers. All of this could amount to an annual loss for merchants of €90 billion combined.
In a recent consumer survey, more than 37% of UK consumers said they’d been unable to complete a transaction because of new online security procedures. Moreover, more than 46% said they were very or somewhat likely to give up on transactions that require two-factor authentication.
For retailers, the key to taking advantage of SCA exemptions is to have all aspects of fraud under control. In order for merchants to qualify for exemptions, they must demonstrate that their fraud rates are sufficiently low to meet the thresholds in the new regulation.Exemptions are broken down into different transactional situations:
Beyond exemptions, there are other scenarios in which SCA is not enforced, which leaves merchants more vulnerable to fraud unless they have a solution in place.
The new SCA regulations apply to merchants within the European Economic Area. But not all customers who shop with merchants in the EEA live in the EEA. Their purchases are subject to an SCA exception known as the “one leg out” exclusion. If either the issuing or acquiring bank involved in a transaction is outside of the EEA, SCA does not apply. Therefore, those orders are protected only by whatever fraud solution the merchant has in place.
Certain types of orders — mail order and telephone — are not subject to SCA, meaning the next call-in order a retailer gets could well be from a fraudster. Transactions made with anonymous payment instruments — think prepaid gift cards — are not subject to SCA. This only leaves room for fraudsters to make their move.
Finally, consider the challenge of non-payments fraud, sometimes called friendly fraud. Abusive consumer claims ended 2020 at a level five times what it was before the COVID-19 pandemic set in, and in a consumer survey, more than 36% of UK consumers said they’d falsely claimed that a legitimate charge on their credit account was fraudulent. Just over 30% admitted to falsely claiming that an order never arrived or that an order was unsatisfactory when it did arrive.
Obviously, SCA is not going to detect friendly fraud, and retailers will need additional solutions in place.
Fraud rates and risks vary by retailer and even by retail vertical. But as the UK joins Europe under SCA regulations, it is clear that the new regulation is not a be-all and end-all fraud solution and merchants will need to consider other fraud solutions to protect their business and maintain an excellent customer experience online.