Voice of the Industry

They mean it this time: Strong Customer Authentication enforcement is coming to the UK

Wednesday 17 March 2021 08:54 CET | Editor: Andra Constantinovici | Voice of the industry

Shagun Varshney of Signifyd drills down into what 2021 means for SCA in the UK, how utilising exemptions can help merchants optimise revenue, and the key takeaways as we head to full enforcement in September 2021

Understandably after years of debate and delays, SCA, as it’s known, suffers from something of a credibility gap. The initial enforcement data was the 14th of September 2019. But retailers weren’t ready. Banks weren’t ready. Consumers, for the most part, hadn’t even heard about the change.

But come 14 September 2021, UK retailers will be required to abide by the robust two-factor identification requirement written into PSD2. 

The new SCA requirements are designed to make transactions more secure for consumers by making fraud more difficult to commit for fraudsters. But like any measure that seeks to prevent fraud, SCA can potentially add friction to the buying process. 

If you’re a retailer, the key to successfully complying with SCA, then, is to conduct the two-factor authentication without adding extra steps and inconvenience at checkout — the very moment a shopper is ready to virtually hand you money in exchange for your product.

Getting that experience right starts with the list of exemptions that allow merchants to bypass SCA and the checkout step-ups that come with it. One big catch: Whether exemptions are available to a merchant is up to the merchant’s payment service provider or a cardholder’s bank.

SCA exemptions can ease the new requirement’s burden

In general exemptions — and their close cousins, exclusions — are available when an order meets certain conditions: 

  1. The order is low risk and low value. 

  2. The merchant and its bank have maintained a low fraud rate and the transaction meets certain value limits.

  3. The transaction is considered ‘out of scope.’ The list for these exclusions includes phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the EUR opean Economic Area — or ‘one leg out transactions. 

One other exemption is available, but only if a consumer’s bank agrees to allow it. It’s called the ‘Trusted Beneficiary’ exemption. It can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption. 

Avoiding SCA on some transactions can go a long way to avoiding customer confusion and frustration. More than 40% of those surveyed by market researchers Upwave on behalf of Signifyd indicated they had encountered step-ups in 2020. More than 37% of those said the step-up meant they could not complete their transaction. And more than 45% said they were either somewhat likely or very likely to give up on a transaction that required two-factor authentication. 

Exemptions do have their limits. Visa has a list of transactions that don’t require SCA under the right circumstances. The limits become clear there. 

The low-value exemption has its limits 

Consider low-value transactions, defined as under EUR 30. Great if a merchant sells fast-fashion, cosmetics, office supplies and other low-cost items. But what about retailers selling jewelry, luxury watches, electronics, high fashion, home goods, sporting goods etc.? 

And, it turns out, even orders under EUR 30 can run into an SCA requirement. The regulation says that orders under EUR 30 must undergo SCA when the cumulative total of a consumer’s low-value transactions reaches EUR 100. 

There is still the Trusted Beneficiary exemption, you’re thinking. That’s true, but it requires the consumer to initiate the exemption. A consumer needs to be SCA-aware enough to ask their card-issuing bank to place a certain retailer on an ‘allow list,’ which allows sidestepping SCA.

None of which means exemptions are worth the effort. It just means that they are only part of the puzzle. Retailers want to be in a position to take advantage of exemptions.

Being in the right position starts with having a top-flight fraud protection strategy. In order to take full advantage of the low-risk transaction exemption, for instance, a merchant needs to keep its fraud rate below an exceedingly low .01%. That clears the way for purchases under EUR 500.

Powerful fraud protection is still needed in an SCA world

Exemptions for purchases under EUR 250 and under EUR 100 are also available for merchants with fraud rates of .06% and .13% respectively. 

It’s important, then, for merchants to include a powerful fraud protection solution in their overall SCA strategy. A low fraud rate is vital to securing exemptions and exemptions are vital to producing a friction-free customer experience. 

Not only is a rock-solid fraud strategy important for putting a merchant in position to take advantage of exemptions, it’s equally important for merchants to avoid being taken advantage of by fraudsters once a merchant wins exemptions.

Think about it: Exemptions eliminate the need for the step-ups that power the extra security of SCA. Eliminating that step leaves merchants vulnerable to fraud. That’s where a modern fraud solution — a constantly learning automated solution with a financial guarantee — can provide the protection needed to ensure good orders are shipped and fraudulent orders are declined. 

Merchants and brands will want to be able to confidently pursue an aggressive exemption strategy without worrying about new vulnerabilities that fraud rings will look to exploit. Consider the irony of focusing on maintaining a low fraud rate to be able to take advantage of exemptions, only to have those exemptions lead to an increase in fraud and a higher fraud rate. 

So, yes, merchants would be wise to focus on the role of exemptions and exclusions when thinking about SCA. But it’s best for merchants to take a holistic view when they’re plotting out their overall SCA strategy and their entire risk management plan. 

About Shagun Varshney

Shagun Varshney, Signifyd Senior Product Manager, Payment Solutions, is a banking and payments expert with a deep knowledge of SCA regulation and its impact on commerce and commercial banking.

About Signifyd

Signifyd empowers fearless commerce by providing an end-to-end Commerce Protection Platform that protects merchants from fraud, consumer abuse, and revenue loss caused by friction in the buying experience.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: SCA, 3-D Secure, PSD2, fraud detection, retail, merchant fraud
Categories: Fraud & Financial Crime
Countries: United Kingdom
This article is part of category

Fraud & Financial Crime