Blog article
See all stories »

How to take ownership of SCA by understanding Authentication vs. Authorisation

Along with the added security that the newly enforced Strong Customer Authentication (SCA) introduced for online retailers in the UK comes added complications when determining the most efficient and cost-effective way for retailers to process orders.

Up until now the discussion around SCA has been about how the new consumer authentication regulation adds friction to transactions and leads to lower conversions. The real conversation, however, should be about what retailers can do to avoid the downsides of the new regulation. 

But it’s not all bad, and actually retailers still have the choice to minimise or eliminate the friction that SCA brings, however there’s no denying that making those choices has become more complicated.

One of the ways to look at it is authentication vs authorization. Merchants need to maximize the strategy of requesting exemptions. Authentication and authorization are the the two ways of executing on those requests. 

The need for understanding

Choosing the right path means knowing whether the banks that support an online purchase for the merchant and the customer’s card issuer are fully prepared for frictionless SCA. It also requires an understanding of SCA’s exemptions and the requirements for requesting an exemption to SCA. And it requires those insights for every individual order.  

By understanding which payment flow — authentication or authorisation — best accommodates the transaction process for a given order, merchants can optimise the customer experience they provide, which increases conversions and the likelihood a consumer will return for a subsequent shopping trip. 

Taking a step back

First some quick background: In the pre-SCA era, merchants didn’t worry about whether they should be seeking exemptions in the payment process and just how they’d best go about that. They were working in world without exemptions. Optimisation was not a thing.

With SCA in place, the world has changed. 3D Secure, a protocol that facilitates authentication, has become the critical path to a successful transaction. But in the early going, 3D Secure has proven unsteady. Not all merchants, banks and payment processors are prepared and using the newest version of 3DS, a version that accommodates the exemption requests that are vital to a successful SCA strategy.

Now merchants need to understand whether the banks and processors they depend on are fully SCA-prepared or not. And if they are not, merchants need to be able to request SCA exemptions by processing orders along the authorisation path. 

In short: Today merchants need to be in the business of payment optimisation or live with the damage friction and cart abandonment cause their business. 

The impact of SCA on ecommerce

Let’s look at how SCA has changed online selling and shopping. First, SCA calls on consumers to demonstrate that they are who they say they are. They can confirm their identity in two of three ways:

  • Something they own (such as the device they used to buy).

  • Something they know (such as a one-time passcode).

  • Something they are (via biometrics, such as a fingerprint or retina scan). 

The regulation also comes with a batch of exemptions. These exemptions and related exceptions, called exclusions, are generally available when an order meets certain criteria: 

  • The order is low-risk and low value.

  • Both the merchant and its banks have kept fraud rates low and the transaction meets certain limits — order values below €100 or between €100 and €250 or €250 and €500 depending on how low the merchant and bank’s fraud rates are. 

  • The transaction is “out of scope.” These include phone or mail orders, prepaid card transactions and orders when the acquiring or issuing bank is outside of the European Economic Area.

  • Trusted beneficiary — if a consumer’s bank agrees to allow it. The trusted beneficiary exemption can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption. 

Beware - not all 3D Secure is the same

So back to authorisation vs. authentication. Again, the backbone of authentication is 3D Secure. But, all 3D Secure is not the same. Older versions that have been in the market for years don’t allow merchants or banks to request exemptions. They always require a step-up, often requiring a shopper to click away from a merchant’s site to satisfy the authentication requirement. A newer version allows merchants and card-issuing banks to request exemptions. The newest version allows merchants, the merchant’s bank and card-issuing banks to request exemptions. 

Unfortunately, a significant number of European banks have not yet upgraded to the newest form of 3D Secure, meaning consumers will face an authentication challenge when trying to buy, unless the merchant has requested an SCA exemption via the authorisation route.

The optimum strategy for merchants in the SCA era is to understand —through data —  the history of transactions when it comes to individual banks and payment service providers. That way they know whether the authentication route will result in a friction-free approval — meaning 3D Secure along the payment processing path is fully optimised for requesting and accommodating exemptions. Or would the better route be to request exemptions through the authorisation route? 

What does all of this mean for retailers?

All this means that merchants need to pay more attention to transaction data. They should get into the business of what is happening: Why was an order declined? What banks and payment processors were involved? They should be more demanding in asking for data from their banks and their payment service providers. They should ask for data and reports that show what orders are being declined and why. And they should consider working with partners who can readily marshal that kind of data and provide instant insights into the question: authentication or authorisation.

Keeping an eye on transaction flow and keeping it optimised is the secret to success in the SCA era. In order to make informed decisions, data is key to supporting your plans and helping to drive you forward.


Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 07 June, 2022, 08:561 like 1 like

Great post. SCA in the form of 2FA / 3DS has been a thing in India for 15 years. It's "one size fits all". Exemption is not a thing. Going by that sole experience of SCA, I didn't know 3DS has a good degree of flexibility.

2FA has been a conversion killer in India, with failed payments touching 40% at their peak.

Going by the nuanced implementation of SCA in EU, I no longer feel it might be a recipe for disaster as I'd thought so far.

Now hiring