Much has been made about how the secret to successful strong customer authentication (SCA) is in the details — the exemptions, the exclusions, the version of 3DS in play.
But one other detail, one vital to maintaining magnificent customer experience can’t be overlooked: the importance of delegated authentication.
Simply put, operating your ecommerce enterprise with delegated authentication is the only way under PSD2’s SCA requirement for a merchant to keep complete control of the experience it is offering loyal and newly acquired customers alike.
SCA: A three-step primer
Let’s back up for some context. SCA is a requirement of the new digital payment regulation PSD2 (payment security directive 2). It’s already in force in much of Europe and will be enforced in the UK beginning in March. It’s requirements have become recitable
by rote: SCA requires that shoppers’ identities be authenticated by two of three methods:
● Something the user knows (such as a one-time passcode)
● Something the user has (such as a mobile device)
● Something the user is (such as a fingerprint, facial recognition, typing behavior)
But just how is that done? The details, remember? Unless a merchant takes action, the authentication process is ordinarily handed over to the cardholder’s bank. That means if you’re an online retailer, a consumer shops on your painstakingly designed site,
finds that perfect something, adds it to a cart, hits buy and is whisked away to a bank’s site or app.
The site looks nothing like your site. The authentication process may be intuitive or it may be confusing. A shopper might persevere or they might find the experience off-putting and wonder just who it is gathering their personal information for authentication
Nicole Jass, senior vice president of product at payment technology company FIS, writing in PYMNTS Authenticated Payments Report described bank-initiative authentication this way:
“(It) often adds an extra step into the checkout process for customers,creating friction that could result in cart abandonment. Keeping SCA responsibilities in-house prevents merchants from routing customers to issuers’ domains, giving retailers more control
over the experience and sparing issuers from taking on the task.”
Without delegated authentication merchants turn away sales
That switching among sites to make an online purchase is no doubt a key reason that SCA’s rollout has resulted in dramatic cart abandonment across Europe. Payment consultancy CMSPI’s latest report
on the economic impact of SCA found a transaction failure rate of 25% region wide in June. The figure was as high as 38% in Belgium. The CMSPI extrapolated that if such abandonment rates persisted, European merchants stood to lose more than €76 billion in
sales this year
And while contemplating that disjointed customer experience is discouraging enough, it gets worse. Think about it. Depending on the bank card you use, your experience shopping with a particular retailer might be far-and-away better than the experience of
your neighbour, who uses a different card and can’t stop wondering why you gush about the beautiful experience at that site where they had a dreadful experience.
Or what about you as an individual who uses more than one credit card? One online excursion with a particular merchant might be a dream, while the next time you shop is a horror.
And what about when there’s a hiccup — which of course there never is when dealing with the internet! Who does the consumer contact? The merchant? The bank? Does the merchant know when something goes wrong at the bank? Does the bank know if the merchant
was at fault? Or does it all remain a mystery in the consumer’s mind.
And let’s not forget the poor merchant. They could easily lose a customer for life, simply because the consumer’s bank was ill-prepared for the new SCA requirements and offered an SCA experience that had the customer running away in terror.
Third-party partners can help merchants seize delegated authorization
And so delegated authentication. It is a must. Unfortunately, taking the reins of customer authentication is not entirely up to a merchant. The cardholder’s bank, you see, accepts the liability under SCA for authenticated orders that are fraudulent and therefore
they have an interest in controlling the process. They will delegate the authentication procedure to a merchant that has demonstrated that they have fraud under control. A key reason why robust fraud protection is even more important in the SCA era.
Visa and Mastercard have gone a long way to removing another major complication to merchants taking on delegated authentication. Initially, a merchant would need to connect with every bank that issued a credit card that one of its customers used on its site.
The merchant would need to get approval one-by-one from banks to authenticate consumers with that card.
The card companies, however, have stepped up to act as a clearinghouse between merchants and banks that issue their cards. Banks have also shown a willingness to accept the assurance of other trusted third-parties — say a reputable fraud protection provider
— as sufficient to hand authentication over to a merchant.
A good detail to know for merchants already operating under SCA’s requirements and for those in the UK who will be managing the new payment requirement soon enough.