SCA: How fraudsters adapt, and how merchants can respond

The Europe-wide rollout of SCA appears to be helping to reduce ecommerce fraud. Visa notes that ‘Across Europe, levels of reported fraud have fallen by 20% in the first four months of 2021.’

But experience tells us that fraud doesn't go away; it simply manifests itself elsewhere. The SCA-driven changes to fraud that merchants should look out for include:

Account takeover. SCA means it's no longer easy for fraudsters to use stolen payment cards. Therefore, they may increase account takeover attacks to gain access to card details stored-customer accounts, or to access enough details about an account holder to acquire a new card in their name. Social engineering and phishing attacks on social media help fraudsters glean personal details that enable account takeover or help them build a full cardholder identity. 

Time to review your fraud strategy

To keep pace with fraudsters as they adapt to SCA enforcement in the UK, while optimising the SCA experience for customers, merchants should consider reviewing their fraud strategies. Our key recommendations are as follows:

• Manage fraud as effectively as you can in line with card scheme requirements, and get advice from acquirers, payment platforms, and fraud partners. Take advantage of resources like Cybersource Managed Risk Analysts to help you understand SCA implications and the evolving fraud landscape;

• Stay vigilant about changes in fraud rates and patterns, such as increased fraud in your MOTO channel, or a rise in account takeover attempts. You may want to take additional steps such as:

   - Providing call centre agents with tailored training and collecting additional data points about transactions handled by this channel to help identify the fraudulent ones;

   - Rolling out an account takeover solution that monitors accounts for unusual activity at login, update, and creation to add a further layer of protection. 

• Leverage SCA exemptions. A first step is to work with your acquirers on transaction risk analysis (TRA), which allows low-risk transactions to go straight to authorisation without being stepped up for SCA. You may also want to educate your customers about setting up lists of trusted beneficiaries — merchants where SCA isn't required on transactions after the first one;

• Flag MITs correctly as out of scope. Make sure to include the right data fields on merchant-initiated transactions (MITs) to prevent SCA being applied. Issuers will have learned from their EU experience, but merchants should initially monitor these transactions in case of handling errors;

• Upgrade to EMV® 3DS. This version of 3-D Secure allows 10 times more data to be shared between merchant and issuer, helping to improve risk assessment, decision-making and the customer experience of SCA (especially in the increasingly popular mobile channel). 3DS version 1 will be sunset in October 2022, so if you haven't upgraded yet, consider doing so as soon as possible. 

• Review and revise your fraud rules. Set up flexible, client-specific rules so that, as a merchant, you can take control of when transactions are authenticated and exempted. For example:

   - OLO transactions are out of scope for SCA, but you may want to add rules to your fraud screening solution to scrutinise them more closely;

   - You may not want TRA applied to all qualifying transactions — perhaps you want to authenticate all transactions from a particular postcode or involving a particular product, to protect against fraud. In these cases, you can use 3DS to request authentication and still benefit from protection offered. 

If you want to take further control over when transactions are and aren't stepped up for SCA, consider Cybersource Decision Manager plus Payer Authentication. It lets you define rules that pause the SCA call and allow transactions to be authenticated directly. An issuer may, however, insist on authenticating a particular transaction, in which case you must return it to the customer for authentication. This process will be automated in the Cybersource solution later in 2022.

Conclusion

With SCA now in force across Europe, merchants will need to decide on the right strategy to protect against fraud, while maximising the number of good orders they accept, and optimising the customer experience. Your acquirers, and partners like Cybersource, are on hand to help, by combining their experience of the EU SCA rollout with your knowledge of your customers, your own fraud experience and your risk appetite. 

Join our webinar:  Outsmart fraudsters in a PSD2 SCA world: How to keep fraud low and convert more orders

Wednesday 30 March @ 14:30 BST

Learn more about SCA best practices.

About Mari-anne Bayliss

Mari-anne joined Cybersource in June 2017. At her role as European lead – Regional Solutions, she focuses on driving forward solutions which will help merchants to provide great customer experiences, while keeping their businesses secure. Prior to joining Cybersource, she spent 18 years with a large UK retailer, and for over 10 years was leading the Fraud and Risk functions, responsible for both ecommerce fraud prevention and internal risk management.

About Cybersource

At Cybersource, we know payments. We helped kick start the eCommerce revolution in 1994 and haven’t looked back since. Through global reach, modern capabilities, and commerce insights, we create flexible, creative commerce solutions for everyday life—experiences that delight your customers and spur growth globally. All through the ease and simplicity of one digital platform to manage all your payment types, fraud strategies, and more. Knowing we are part of Visa and their security-obsessed standards, you can trust that your business is well taken care of—wherever it may go.