Strong Customer Authentication and its implications for merchants, PSPs – Interview with ACI Worldwide

What problems is Strong Customer Authentication (SCA) intended to solve – and what risks does it present? 

The main objective of the PSD2’s SCA is to protect customers and reduce fraud, by introducing new measures to ensure that customer-initiated transactions are being made by the genuine cardholder. 

Unfortunately, this can add friction to the checkout process because it adds another step before the customer can complete the transaction. This could prove a major risk to the conversion’s success if the right measures aren’t taken by merchants, PSPs, and acquirers to reduce the impact on genuine customers. 

Under SCA, the control of authentication passes to issuers and acquirers. What are some of the implications for merchants and PSPs? 

While, from a regulatory perspective, the issuer will own authentication decisions, the liability for fraud isn’t as straightforward as it seems. For transactions that are subject to SCA, liability usually rests with the issuer or acquirer – but that isn’t the end of the story. 

Issuers and acquirers can choose to apply SCA exemptions for certain transactions, the scope for which is set out in the regulations. Whoever applies the exemption is then liable for that transaction if fraud occurs. However, in some circumstances where an acquirer applies an exemption, they are also likely to pass liability or costs back to the merchant. 

In addition, there are many types of transactions that sit outside the scope of SCA. For these transactions – such as recurring billing, mail order or telephone orders, and one-leg out transactions – any resulting fraud will sit squarely with the merchant. 

Without proper attention around exemptions, SCA could have a very negative impact on merchant profitability. Merchants could be saddled with the cost of fraud, passed across from acquirers, and the added friction from too many SCA transactions could cause cart abandonment and damage to customer relationships. 

How can PSPs help their merchants to be SCA-ready and make sure that friction is minimised for their customers? 

The good news is that there are lots of ways that PSPs can help their merchants with SCA. 

Firstly, merchants can actively seek SCA exemptions, and PSPs should help merchants to define the tailored exemption strategies they need for their individual business. For example, PSPs can help merchants define the low value and low risk transactions that they wish acquirers to accept unchallenged. This will allow merchants to be better prepared for the exemptions discussions and agreement they need to reach with their acquirers. 

But remember, any exemption strategy defined by the merchant must be discussed and ultimately agreed upon with the acquirers. 

PSPs need to ensure that merchants are able to capture and send the transactional and cardholder data that will help secure the exemption and ensure the transaction passes through the frictionless flow. They must also be able to provide the relevant exemption flag within the transaction. 

There is also an opportunity for merchants to become a ‘trusted merchant’, where a customer has successfully applied to have the merchant white-listed with their card issuer. PSPs need to make sure they support the passing of a white-listing/trusted merchant flag to the issuer, to ensure the customer experience (and customer loyalty) isn’t compromised. 

Lastly, PSPs need to verify that merchants can use a multi-layered fraud prevention solution that helps protect them from fraud, whether their transactions go through SCA, are exempt, or are out of scope. Merchants still have responsibility for fraud rates, and maintaining a consistently low fraud rate is the best way to ensure that the acquirer will support the merchant’s exemption strategy. 

What should be the dialogue between a merchant/PSP and their acquirer? 

Merchants and PSPs must be able to control the customer experience through an appropriate exemptions’ strategy – but this strategy has to be fully supported by the merchant’s acquirer. PSPs need to support their merchants both in developing their exemptions’ strategy and agreeing it with their acquirers. 

Additionally, there are several areas to consider. If an acquirer’s overall fraud rate becomes too high, they can lose the ability to offer SCA exemptions, meaning that every transaction in their portfolio requires authentication until the acquirer’s fraud metrics are brought under control. 

To ensure merchants aren’t caught out by this, PSPs can assist in several ways: 

• They can help to ensure merchants are actively fraud screening transactions, to keep their fraud rates low so that they don’t push the acquirer’s overall fraud rate up. 

• They can also scrutinise and monitor acquirers on behalf of their merchants. For instance, it’s worth knowing what types of merchants the acquirer supports – an acquirer focused on high risk merchants is likely to have much higher overall fraud rates. PSPs can regularly monitor acquirers’ average fraud rates and evaluate the best acquirers by the percentage of exemptions they apply. 

• Lastly, it is vital that PSPs support multiple acquiring options and can switch traffic to alternative acquirers if an acquirer’s fraud rate increases and they lose their ability to offer exemptions. This will be a vital measure in protecting merchants from unexpected exposure to risk and checkout friction. 

We have seen recent changes to the SCA implementation deadline in the UK. Do you expect other European countries to delay enforcement, in light of the COVID-19 outbreak? 

The UK has delayed SCA implementation to September 2021, and we await to see what the rest of the countries will do. Until that time, those countries who have not announced a postponement need to be compliant for the December 2020 deadline. Delay or not, SCA is coming. My strong recommendation, to PSPs and merchants, is to take steps now to be ready, determine exemption strategies that you want, and seek agreement from your acquirers. Also, if your acquirer breaches TRA metrics, you need to ensure mitigating strategies are in place (alternative acquiring options as an example). When the regulation is finally enforced, you need to be ready to protect your genuine customers and your business. 

About Amanda Mickleburgh 

Amanda brings more than 15 years’ experience working in fintech to her current role as product director for ACI’s Merchant Fraud solution. Since joining ACI in 2007 she has held roles across sales, strategic relationship management, and product management, with a specific focus on ecommerce fraud prevention. Amanda’s specific expertise is in leveraging data to enable risk-based screening for authentication, machine learning, artificial intelligence, and behavioural analytics. Amanda applies these emerging technologies to payment fraud detection and prevention strategies. She also has a particular interest in using data intelligence for aiding conversion and removing friction from payment flows, helping to create value for ACI’s customers and key stakeholders. 

About ACI Worldwide 

ACI Worldwide, the Universal Payments (UP) company, powers electronic payments for more than 5,300 organisations around the world. More than 1,000 of the largest financial institutions and intermediaries, as well as thousands of global merchants, rely on ACI to execute USD 14 trillion each day in payments and securities. To learn more about ACI, please visit www.aciworldwide.com. You can also find us on Twitter @ACI_Worldwide.