The new strong customer authentication (SCA) requirements that arrived with PSD2 have quite rightly been a key focus for risk professionals and retail leaders, since it was enforced in Europe in January 2021.
And as of 14 March, the new payments regulation became mandatory in the UK. This once-in-a-generation change has the potential to massively disrupt an enterprise or drive an enterprise ahead of its competitors when it comes to customer experience.
Despite being a vital pillar of protection for merchants and consumers alike, there is more to fraud and fraud protection than simply deploying an SCA solution; it is not, as some have mistakenly assumed, the only fraud solution a merchant will ever need.
As European retailers have faced historic fraud pressure levels, SCA’s robust two-factor authentication process has already been rolled out across much of Europe. You only need to look to the countries in which it has been enforced to realise the impacts of SCA’s fraud protection.
For example, many transactions are not subject to SCA which is a saving grace for merchants who are worried about online customer experience - until you consider the fact that they will still be vulnerable to fraudsters who will inevitably target transactions that are exempt from this added SCA layer. Merchants should also consider the fact that a low-fraud rate will be vital for providing a top-notch customer experience now that SCA is being enforced, and this is only possible by ensuring they have the most robust defences in place.
Increased consumer protection puts revenue at risk
The promise of SCA is that it will better protect consumers by routing many transactions through the 3-D Secure protocol and requiring two-factor authentication that calls for a shopper’s identity to be confirmed through two of the following: something the user knows (like a one-time passcode); something the user has (like a mobile device); and something the user is (fingerprint, facial recognition, typing behaviour).
Notably, there is nothing stopping fraudsters from attacking transactions protected by 3-D Secure alone – and they do. The security protocol does shift liability from the merchant to its bank, but if a bank is hit by fraud often enough, it will protect itself by declining more orders.
So, on closer inspection of what SCA stipulates, it is clear that a robust fraud protection solution will be the bedrock of a merchant’s successful SCA strategy because:
low fraud rates are required for key exemptions that allow consumers and merchants to bypass SCA;
SCA does not cover every transaction a merchant will process such as MOTO and One Leg Out transactions (where either the acquiring or issuing bank is outside of the EEA);
SCA deals head-on with payment fraud, but not friendly fraud or policy abuse by consumers;
fraudsters are innovative and entrepreneurial. SCA may prove a barrier initially, but professional fraud rings will find an alternate path of attack.
Let’s start with exemptions, as they are the key to providing a seamless SCA experience for online customers. Exemptions allow orders to be approved without undergoing SCA based on the notion that the transaction isn’t very risky or wouldn’t be very costly if things go wrong.
Skipping SCA is a highly desirable outcome as stricter authentication measures have the potential to disrupt the customer’s online checkout experience. Featured in the latest CMSPI report into the impact of SCA in Europe, testing shows 29% of SCA transactions are abandoned. This could be because they are declined, because of technical errors or because the customers simply got too frustrated with the added security layers. All of this could amount to an annual loss for merchants of EUR 90 billion combined.
In a recent consumer survey conducted for Signifyd by market research firm Upwave, more than 37% of UK consumers said they’d been unable to complete a transaction because of new online security procedures. Moreover, more than 46% said they were very or somewhat likely to give up on transactions that require two-factor authentication.
Exemptions - what are they and how do they work?
The important thing to remember about exemptions is that a low fraud rate is the price of admission. Let’s break the exemptions down and consider the role of best-in-class fraud protection in making them possible and secure:
1. Low-risk and low-value transactions: Online orders of EUR 30 or less that arrive without fraud red flags do not need to clear SCA. By definition, these orders are getting less scrutiny than orders of above EUR 30, which makes them attractive targets for fraudsters. Having a high-quality fraud solution in place will protect these orders from fraud. Given that a business dealing in basket sizes under EUR 30 is likely doing a high volume of low-cost orders, a solution that provides automated decisioning will save the business from being consumed by conducting manual reviews.
2. Recurring transactions: Subscription payments for the same amount made to the same merchant are exempt from SCA, once the first payment clears SCA. That’s great, as far as it goes. But once that first transaction is processed, the following transactions are not subject to SCA and are vulnerable to fraud — unless a fraud solution is in place.
3. Trusted beneficiary payments: Consumers can select specific merchants and ask their card-issuing bank to allow purchases from that specific merchant to be processed without SCA. The key here is, the consumer asks for the exemption and the bank can say no for any reason. If the bank says yes, a trusted beneficiary payment becomes a transaction that is not protected by SCA, again making those transactions targets for fraud. It doesn’t take a lot of creativity, for instance, to come up with potential targets. Consider Amazon’s huge customer base and the frequency with which Prime customers buy on Amazon. It’s the perfect recipe for a trusted beneficiary request. And a perfect merchant for a fraud ring with stolen credentials to visit, because SCA is less likely to be a barrier.
4. Transaction risk analysis (TRA): Having a top-flight fraud prevention solution is exactly what TRA is all about. The exemption allows merchants with low fraud rates, using acquiring banks that also have low fraud rates, to bypass SCA on a sliding scale of order values. Those with an exceedingly low fraud rate of .01% can skip SCA on orders under EUR 500. If a merchant’s fraud rate is under .06%, they’re good for under EUR 250. A rate under .13% means purchases less than EUR 100 is exempt from SCA. Again, the merchant’s acquiring bank must match those fraud-rate limits.
There are situations when SCA does not apply
Beyond exemptions, there are a host of scenarios under which SCA does not come into play, which leaves merchants vulnerable to fraud unless they have a solution in place. The new SCA regulations apply to merchants within the European Economic Area. But not all customers who shop with merchants in the EEA live in the EEA. Their purchases are subject to an SCA exception known as the “one leg out” exclusion. If either the issuing or acquiring bank involved in a transaction is outside of the EEA, SCA does not apply. Therefore, those orders are protected only by whatever fraud solution the merchant has in place.
Certain types of orders – mail order and telephone – are not subject to SCA, meaning the next call-in order a retailer gets could well be from a fraudster. Transactions made with anonymous payment instruments – think prepaid gift cards – are not subject to SCA. This only leaves room for fraudsters to make their move.
The increase in not-so-friendly fraud
Finally, we have the ever-increasing challenge of non-payments fraud, AKA friendly fraud.
Signifyd’s Consumer Abuse Index, a measure of abusive consumer claims, ended 2020 at a level five times what it was before the COVID-19 pandemic set in. Another measure of the increase in friendly fraud was evident in Signifyd’s consumer survey. More than 36% of UK consumers surveyed said they’d falsely claimed that a legitimate charge on their credit account was fraudulent. Just over 30% admitted to falsely claiming that an order never arrived or that an order was unsatisfactory when it did arrive. Obviously, SCA is not going to detect friendly fraud and retailers will need additional solutions in place.
Fraud rates and risks vary by retailer and even by retail vertical. But as the UK joins Europe under SCA regulations, it is clear that SCA is not a one-stop shop to tackle ecommerce fraud. It is important that merchants realise this sooner rather than later, and consider other ways to protect their business from fraud whilst maintaining an excellent customer experience online.
About Ed Whitehead
Ed Whitehead is the Managing Director, Europe, for Signifyd, where he leads a team dedicated to the expansion and support of Signifyd’s European client base. Prior to joining Signifyd, Ed worked at Gigya, SAP and Experian accumulating extensive knowledge across data and legislation in identity, fraud, ecommerce, and customer experience.
About Signifyd
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now