Strong Consumer Authentication (SCA): implications and challenges to the payments ecosystem

Thursday 25 July 2019 09:29 CET | Author Melisande Mual | Interview

Jackie Barwell, ACI Worldwide: It isn’t enough to rely on issuers and acquirers to carry out risk analysis, any more than it is enough to rely on 3D Secure


Currently, as a requirement within the PSD2, payment markets around the world are readying themselves for the imposition of Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA), which is due to come into force on September 14, 2019. SCA is intended to ensure that fraud is reduced and merchants and issuers in the European Economic Area (EEA) are validating the consumer for all electronic payments.

Although consumers will see tremendous benefit around security and data protection, issuers, acquirers, PSPs and merchants will face new challenges.

What is SCA?

In general terms, card issuers will be obliged to perform an SCA check for every electronic payment transaction above EUR 30 that does not meet any one of a set of specified exemption criteria. The SCA check requires authentication using two of the following three factors:

  • Something the cardholder knows – e.g., a password or PIN;

  • Something the cardholder has – e.g., a token, a mobile phone;

  • Something the cardholder is – e.g., a fingerprint or voice match.

What is the real impact on the digital payments ecosystem of SCA implementation and who are the most affected parties?

Almost no actor will stay unaffected by the SCA implementation. However, the level of impact will vary greatly.

For acquirers, this stepped-up authentication takes more time and costs more money, making pivotal the ability to identify transactions that are exempt from SCA. To establish exemption rules and keep fraud levels in range, acquirers need real-time transaction monitoring and risk analysis that factors in various pre-determined risk signals, such as abnormal spending or behavioural patterns, information on the customer’s device, malware detection across the session and the location of the customer.

For issuers, the challenge is integrating SCA controls and transaction monitoring within their existing fraud and risk management strategies. This will yield business-wide benefits, meeting PSD2 requirements, and reducing customer friction and exposure to money laundering.

Want help solving your SCA challenges? Contact our specialists today:

What will change for PSPs and their merchants?

Several existing approaches within ecommerce are presently in line with SCA requirements, as they combine two compliant elements of the three mentioned before. If that is a merchant´s case, then little impact could be expected.

For merchants currently not implementing any SCA-related check, a few scenarios are possible:- merchants transacting primarily in smaller value transactions below EUR 30 will see little impact;

  • merchants using card-on-file will only see an impact on the initial conversion transaction. This should see card-on-file and tokenization become an almost essential and universal offering from PSPs;

  • merchants working with acquirers that have higher risk merchants on their books may find value in switching to acquirers with a better blend of higher and lower risk transactions. These acquirers with lower fraud levels will have more flexibility not to mandate SCA and so keep the conversion process friction free.

Non-European domiciled merchants with substantial EU consumer traffic, who set up entities in Europe purely to be able to work with a European acquirer, may want to weigh any advantage offered to them by this European acquirer against the demands that will be placed by SCA.

PSPs will benefit enormously from being able to offer their merchants a strong ecommerce fraud solution. All merchants will wish to offer a frictionless experience to their customers, so being able to apply exemptions to the smaller and lower risk transactions becomes a benefit that all merchants will want. These exemptions will become more commonly applied if all parties in the value chain conduct effective transaction risk analysis, because low fraud rates at a merchant level contribute to the overall fraud rates of the acquirers and issuers within that chain.

PSPs should also add capabilities that will enable them to offer Strong Customer Authentication solutions to their merchants. If an acquirer or an issuer makes a decision to conduct SCA on a merchant’s transaction(s), but the merchant is not set up with the right solutions to enable this (for example if the issuer chooses 3DS 2.x as their SCA methodology of choice), then the merchant is likely to suffer a declined transaction.

SCA is intended to protect the shopper, but it brings challenges to providing a seamless payment experience. How will the merchant’s business be influenced?

It isn’t enough to rely on issuers and acquirers to carry out risk analysis, any more than it is enough to rely on 3D Secure. The merchant’s ability to control fraud, secure SCA exemptions and deliver a fast, simple payments experience to loyal customers ultimately demands that they keep a firm grasp on their own fraud rates, through fraud screening.

Recently, regulators agreed on a certain grace period. What does this mean for acquirers, PSPs and merchants?

After 14 September 2019, national competent authorities (NCAs) may decide to work with PSPs and relevant stakeholders (including merchants) to provide limited additional time to complete technical changes that will allow issuers to migrate to authentication approaches compliant with SCA, and acquirers to migrate their merchants to solutions that support SCA. This supervisory flexibility is provided under the condition that PSPs have set up a migration plan, have agreed to the plan with their NCA and execute the plan in an expedited manner.

Although this should allow merchants more time to migrate to newer versions of 3D Secure, and to implement technology or processes that will enable the application of SCA in a compliant but optimal way for consumers, the lack of clarity on the EBA’s position simply adds pressure on merchants and PSPs to be ready for SCA by September 14th.

How must PSPs and merchants approach and embrace the changes of SCA fully, to ensure that they are compliant without impacting their business? Who can help them?

Merchants and PSPs need to continue to manage fraud in part to maximize the number of transactions that can secure SCA exemptions, thereby delivering a fast, simple payments experience. By keeping a firm grasp on fraud rates and knowing when and how to request exemptions, merchants and their PSPs can protect their businesses and help to ensure that the new regulations are a benefit. Here are a few guiding principles:

1. Don’t neglect fraud screening

Fraud screening remains vital for merchants and PSPs. PSPs can demonstrate clear market differentiation if effective fraud screening capabilities are in place to keep their fraud rates low – an all-important statistic in a PSD2/SCA world.

2. Develop your exemption strategy

Merchants and PSPs should actively engage with their acquirers to discuss their authentication strategy, pushing for the exemptions they want and ensuring there is a backup plan if customer authentication fails. There may be situations in which a merchant does not wish an available exemption to be applied, so the exemption strategy should be jointly agreed between the merchant, the PSP and the acquirer.

3. Establish acquirer flexibility

Finally, some merchants and PSPs may wish to negotiate with acquirers to implement transaction risk analysis exemptions for themselves. In the future, we could see savvy merchants “cherry picking” the acquirers and PSPs that offer the best conversions, SCA strategies and commercials. The ability to easily switch acquirers, route transactions to acquirers with the best fraud levels and negotiate acquiring services (and prices) will be increasingly valuable in a PSD2 world.

Want help solving your SCA challenges? Contact our specialists today:

About Jackie Barwell
Currently Director of Fraud and Risk Product Management at ACI Worldwide, Jackie Barwell has more than 27 years’ experience within financial crime. She joined Retail Decisions (ReD) in late 2011, prior to its acquisition by ACI in 2014, as Head of International Products, ensuring ReD’s fraud and payment solutions enabled revenue growth and reduced losses for customers in all markets. She assumed responsibility for ReD’s product portfolio and roadmap in 2013 and led a global team of product experts focused on the further development of ReD’s market-leading fraud and payment solutions.

About ACI Worldwide

ACI Worldwide, the Universal Payments (UP) company, powers electronic payments for more than 5,300 organizations around the world. More than 1,000 of the largest financial institutions and intermediaries, as well as thousands of global merchants, rely on ACI to execute USD14 trillion each day in payments and securities. To learn more about ACI, please visit You can also find us on Twitter @ACI_Worldwide.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: SCA, PSD2, ACI Worldwide, merchants, PSPs
Categories: Securing Transactions | Digital Identity, Security & Online Fraud
Securing Transactions | Digital Identity, Security & Online Fraud
Countries: World
This article is part of category

Securing Transactions


Securing Transactions