Shagun Varshney, senior product manager, Signifyd
The sky is falling. The wolf is coming. And SCA will be enforced in the UK just as it is being enforced now across much of Europe.
I know. You’ve been hearing about PSD2 and its requirement for strong customer authentication (SCA) for years. Deadlines have come. Deadlines have gone. And nothing has changed.
So when I tell you it’s coming, you don’t believe me. But do me a favor: File this away, because in the following paragraphs I’m going to lay out what the SCA requirement in PSD2 is, how as an online retailer it could upend your business and what you should do about it.
First, what it is: PSD2, or the Payment Service Directive 2, is a far-reaching payment regulation covering businesses involved in online transactions in the European Economic Area. European Union authorities first passed the directive five years ago as a way to open banking to more competition and better protect consumers and merchants when it comes to online fraud.
All good in theory, but as is nearly always the case, efforts to curtail fraud come with the potential to add friction along the buying journey — friction that frustrates consumers and results in lost sales and lost customers for retailers.
Fortunately, for UK merchants there is still time to take steps to seize the upside of SCA without suffering the downside of a considerable revenue hit.
Enforcement of PSD2 was originally set to begin on Sept. 14, 2019. But it turns out, PSD2 and its SCA requirements are complicated and involve cooperation among diverse and complex organizations and governments. And, so, the delays.
Like any complicated legislation worth its weight, PSD2 comes with plenty of exceptions, exemptions and ambiguity. We’ll get to several. But since people have been writing about PSD2 for five-plus years, there is plenty of general reading out there.
I’d prefer to focus on the regulation’s SCA requirement, which is of the greatest interest to retailers — or should be. Simply put, SCA requires a rigorous two-factor identification regimen for online transactions. The consumers must be authenticated by two out of three of the following:
- Something the user knows (like a one-time passcode)
- Something the user has (like a mobile device)
- Something the user is (fingerprint, facial recognition, typing behavior)
So, how to prepare for this new way of doing business? My broad advice is to take a deep dive into your own business to understand what SCA means to your enterprise. As you do, think of your approach to SCA as a potential differentiator, a competitive advantage, because done properly, it can be both.
And don’t wait. Kidding aside, SCA will have huge implications for your business. And it is coming as sure as day follows night — just not on as predictable a schedule. With that in mind, I’ve compiled a pre-SCA checklist, a to-do list to start getting SCA done.
- Believe. Shift from denial to action. Do whatever you need to do to develop an it’s-coming mindset. Repeat it over and over. Write it on the bathroom mirror. Submit to a tasteful, but prominent tattoo, when it’s safe to do so. SCA is coming.
- Become a Ph.D in 3DS. You want 3D Secure 2.2. While EMVCo’s 3D Secure is the established authentication protocol to support online credit and debit card purchases in Europe, not all 3D Secure is created equal.
The 3D Secure version that many retailers are familiar with is not up to the task. Payments consultancy CMSPI found that using 3D Secure version 1 as the backbone of SCA is leading to abandonment rates of 25% and higher across European markets where SCA is being enforced.
That compares to abandonment in the single-digit percentages before SCA. The consultancy also found that SCA-triggered step-ups could result in an authentication process taking 60 seconds to two minutes, an eternity for an online shopper attempting a purchase.
And when forced to wait, consumers today don’t. Signifyd’s latest consumer sentiment survey found that 46% of UK consumers find the current state of two-factor authentication frustrating enough that they are somewhat or very likely to give up on a transaction that requires it. The latest version of 3DS version 2.2, however, is made for modern ecommerce and accommodates SCA’s requirements. While version 1 passes 15 fields of data to your bank for authentication, version 2 passes nearly 10 times that many. While version 1 cannot accommodate exemptions allowed by SCA; 2.2 can. (We’ll get to why exemptions are vitally important later in the checklist.). In the event that you believe a transaction is exempt and your bank doesn’t, 3D Secure version 1, won’t allow for a soft decline, or an appeal of the decision. 3DS version 2.2 does. Version 1 requires a shopper to open a browser, even on mobile devices, in order to provide authentication. Version 2 is mobile ready. How long do you think that customer will work at buying something from you?
- Check out your average basket size. Remember those exemptions I mentioned. They are what can make the difference between SCA being a nightmare and SCA being a manageable piece of your business. SCA comes with its own abbreviations — TRA, for instance. TRA, or Transaction Risk Analysis is your friend. TRA allows for exemptions to SCA based on your fraud rate (and your payment service provider’s, which will get to in a minute). If you’re fortunate enough to have an astonishingly low fraud rate of .01% or less, most purchases under €500 are exempt from SCA. A fraud rate under .06% and you’re good for under €250; under .13% and purchases less than €100 are exempt. So, you can see that keeping your fraud rate low is key. One note: The exemptions only apply to low-risk orders, so if the order comes with signals indicating fraud, SCA is back in play.
But that’s only half of it. Understanding your average order value and what causes that to fluctuate is also key. If, for instance, your orders are rarely over €500 and you’ve got fraud under control, maybe your SCA procrastination was well spent. The new requirement will have little, if any effect on your life, unless your business model changes. The same reasoning goes down the line to the €250 and €100 benchmarks.
- Mind your fraud rate — and your payment service provider’s. So, based on No. 3, you probably knew this was coming. Obviously, if exemptions are key and your fraud rate is key to exemptions, you better have a good idea as to what your fraud rate is and what could affect it. And not only mind your fraud rate, of course, but actively work to bring it low and keep it low. As I said, reducing fraud can come with the unintended consequence of adding friction to the buying journey. When approaching fraud, it’s best to avoid a defensive posture and embrace the notion of optimizing revenue by maximizing the number of orders you ship while sifting fraudulent orders out of the mix. That worldview has spawned an industry of artificial intelligence-driven fraud solutions that use constantly learning machines to automate order flow by sorting fraudulent orders from legitimate orders in milliseconds. Again, choose carefully. Not all AI-based fraud solutions work the same way.
And while you’re studying your fraud rates, be sure you understand the fraud rate of your payment service provider (often your acquiring bank) as well. SCA is a team sport and in order for your business to be eligible for exemptions under TRA, your bank’s fraud rates must also fall under the .01%, .06% and .13% limits.
- Get into your payment service provider’s business. Am I becoming too predictable? Yes, you need to have a serious talk with the payment service provider (PSP) that handles your credit card transactions. As I said earlier, your bank needs to be taking fraud as seriously as you do. The Transaction Risk Analysis assesses both the merchant and the PSP the merchant uses. So, know your PSP’s fraud rate and understand its performance in fraud prevention and protection over time.
At least as important, is your PSP’s 3D Secure capabilities. Remember all those delays of SCA (which are coming to an end, I promise you)? One major reason regulators put off enforcing the regulation is that banks and other PSPs were not prepared to process SCA transactions. They did not have updated versions of 3D Secure in place. If you’ve forgotten why that’s important, review No. 2 on the checklist.
It is unlikely that acquiring banks and other PSPs will fall short in either category — fraud rates and updated 3D Secure — for long. Those that are behind now will either upgrade quickly or find themselves relegated to irrelevance.
- Know where your customers are coming from. Literally. It makes a big difference when it comes to SCA because of the somewhat inelegantly named “one leg out” exclusion. In order to be subject to SCA, the shopper’s credit-card-issuing bank and the merchant’s acquiring bank must both be in the European Economic Area. So if the overwhelming majority of your conversions come from customers in the United States, China, Canada, Turkey, Switzerland or any country outside the EEA, chances are those transactions are not subject to SCA.
Much like the merchants whose average order value and fraud rates make SCA less relevant, the new regulation might not be as big a part of your life as you initially thought. The caveat here, of course, is that you still need to come up with a way to handle those orders subject to SCA in as frictionless and secure a way as possible. That said, knowing exactly what your order mix by country is, is the first step in plotting a strategy.
These half-dozen items are a decent start to a checklist that will make your SCA life easier and more successful. Like so much in life, sometimes getting started on making a change is the hardest part. And also like much in life, sometimes actually making that change works out far better than you ever imagined.