One of the most prominent issues keeping stakeholders in the payments industry busy at the moment is Strong Customer Authentication, or SCA, the new European security standard that intends to protect consumers and businesses from fraud by making it more
difficult for a fraudster to make payments from their accounts.
After several delays SCA is due to come into force for eCommerce card payments on December 31, 2020 in the EU and on September 14, 2021 in the U.K.
As with most things, there are a number of challenges and opportunities that SCA will bring to the payments industry. And there are a number of key considerations that still need ironing out before the deadline comes into force.
Is the industry ready?
There is still a large degree of unpreparedness in the market when it comes to SCA. The regulation is considered a “beast” in terms of legislation, compliance requirements and technical enhancements that organisations need to make to consider themselves
ready for when SCA kicks in. But it is essential that payment service providers (PSPs), acquirers, issuers and merchants have the necessary tools to remain compliant.
The COVID-19 pandemic may have made it difficult for many businesses to complete their technical enhancement deployments or conduct adequate testing within the deadline. Moreover, the industry is complex and diverse with an interdependent ecosystem. Looking
at it in its entirety, the level of readiness remains relatively low. However, preparations have been stepped up by the national competent authorities across the EU, particularly in the UK. Such initiatives can drive SCA readiness forward in time for the deadlines.
How are merchants gearing up for SCA?
Merchants have not been immune to changes in regulations, or the tight deadline, given the effects of the pandemic. Some merchants are working hard to upgrade to the EMV 3D Secure (3DS2) standard to remain compliant during this period of uncertainty. While
doing this, they’re also gearing up to continue providing a good customer experience. By tackling both issues at once, merchants are using the opportunity to exchange more information, leveraging this data for improved fraud prevention.
Merchants are also getting creative with the way they handle customer satisfaction and the rapidly approaching SCA deadline. For instance, many merchants, especially the larger companies, are offering deferred payments so customers do not have to pay at
checkout. They are also offering ‘buy now, pay later’ options and allowing customers to do bank transfers. We saw a 30% increase in these payment methods signalling an appetite for goods and services with no upfront commit and an effort on the side of merchants
to avoid the risk of frictions, all obvious strategies to circumvent the new rules and keep the lights on in a period of uncertainty.
Merchants should now focus on deploying EMV 3DS with gusto. 3DS is going to be a requirement as part of PSD2 and EMV 3DS offers greater benefits when it comes to reducing fraud.
Are there exemptions to be aware of?
It’s important for merchants to consider deploying the exemption strategy that they want as part of their continued efforts to ensure optimum customer experience. This involves considering all available exemptions, such as low risk and low value exemptions,
and also trusted merchant exemptions. For the latter merchants can offer consumers the option of whitelisting the merchant as part of the checkout process (via a checkbox option to save for future use for example).
Ensuring that the acquirer can pass the trusted notification in their authorisation message to the issuer is also imperative. Some transaction types are automatically exempt, e.g. those under 30 euros 30 (every 6th transaction or accumulative euros 100 being
authenticated) and payment such as contactless and recurring also automatically exempted.
Merchants can take control by working closely with their acquirers and try to ensure they have implemented an effective exemption strategy. Large Merchants may also consider speaking to their top issuers, to gain insight into how the issuer will view their
transaction and ensure that sufficient data is being shared with the issuer to mitigate the issuer ignoring exemption requests and ‘stepping up to authentication. Lastly, merchants
must keep fraud rates low to ensure that exemptions will be honoured by the acquirer – high fraud directly affects the acquirer’s ability to adhere to the TRA metrics outlined in PSD2 and their willingness to honour and apply exemptions to the issuer
(as they take the hit on any fraud). A Plan B acquirer option may be a valid consideration for merchants to have in the event that their primary acquirer breaches TRA (or this will introduce friction into the checkout flow for all payments).
Conclusion
We need to look at SCA not just as a new compliance demand but potentially as an enabler. But it’s only an enabler if it is embraced and if all parties in the payment value chain work together to ensure enough data is passed to secure a frictionless flow.
Going forward, SCA is going to trigger a domino-effect of changes across the industry. A typical issuer organisation today is formed by separate departments. However, the new regulation has a profound impact on organisations that have siloed departments. It
is crucial to align these standalone parts of the business and develop a sustainable strategy to secure your business.
As such, it is key for acquirers, PSPs, card issuers and merchants to evaluate their payments models and the solutions they have in place in order to prepare themselves for SCA in the most efficient way possible.