Beginning 14th September, 2019, Strong Customer Authentication (SCA) will take effect in conjunction with the revised Payment Services Directive (PSD2). Despite the quickly approaching deadline, 25% of EU online merchants are unaware of SCA according to the most recent PSD2 tracker.
What exactly is SCA?
Designed by the countries of the European Union, SCA will require authentication built into a checkout flow for online payments originating from Europe. This authentication should include 2 of the following 3 elements:
- Something the customer knows (e.g. password, PIN)
- Something the customer has (e.g. phone, hardware token)
- Something the customer is (e.g. fingerprint, face recognition)
If a payment is not “SCA-ed”, the issuer/bank will reject the payment (unless the payment qualifies for an exemption). This affects both card payments and bank transfers on any “customer-initiated payment” while merchant-initiated payments (e.g. recurring direct debits) will not be affected. In order to meet SCA requirements, many merchants/PSPs are making sure that 3D Secure 2.0 is implemented.
What are the SCA Transaction Risk Analysis (TRA) exemptions?
For specific types of low-risk payments, merchants and PSPs may qualify for exemptions based on Transaction Risk Analysis (TRA). The “Standard” exemption is that payments below 30 Euros do not require SCA, but it is possible to receive additional exemptions if both the PSP and issuer have low overall fraud rates across their network of merchants. The most common exemption is referred to as the “low value and low risk transaction” and includes the exemption thresholds listed below.
- 0.13% fraud rate to exempt transactions below 100 Euros
- 0.06% fraud rate to exempt transactions below 250 Euros
- 0.01% fraud rate to exempt transactions below 500 Euros
This means that PSPs need to get their overall fraud rate across their network of merchants to a certain level in order to qualify for these exemptions. Merchants will naturally want to work with PSPs that have “more” SCA exemptions, and furthermore, merchants who have high transaction volumes and low fraud rates will have leverage with PSPs on processing costs. If the merchant does less SCA, they use 3D Secure 2.0 less, which means they don’t incur this extra cost, while also avoiding increased customer friction that could put a payment at risk of not converting.
Who decides on TRA exemptions?
When all is said and done, issuers are the ultimate authority on who qualifies and doesn’t qualify for exemptions. Furthermore, even if there is an exemption, the issuer can still decide to introduce SCA on a payment. A practical example of this would be where the issuer forces SCA if the total amount attempted on a card in 24 hours exceeds 100 Euros or for every 5 transactions without SCA.
What are PSPs doing to ensure they qualify for TRA exemptions?
Naturally, SCA will bring a larger emphasis for PSPs on both merchant onboarding risk and the real-time monitoring of those merchants as they submit payments. PSPs are leveraging machine learning technology (which requires clean, global, normalized, de-duped, and highly predictive data) to monitor their merchants’ payments and to ensure fraud does not get passed through to authorization. Some sophisticated PSPs are building their own fraud detection systems in-house to achieve this goal while others are purchasing third-party machine learning platforms to handle fraud detection for them.
What is the goal of SCA?
SCA’s ultimate purpose is to bring security to the CNP payments ecosystem. The burden is increasingly shifting to PSPs more than ever to better authenticate online payments for both their merchants and the customers of those merchants. The goal here for all parties involved is to have good control over fraud without sacrificing the customer experience or increasing false positives. Leveraging real-time, machine learning-driven risk assessments will be key to a successful post-PSD2/SCA world for everyone from the merchants to PSPs to card networks to issuers.
For more thoughts on the upcoming PSD2 and SCA (Strong Customer Authentication) check out this article – As PSD2 Looms, SCA Waits in the Wings – where PYMNTS.com interviews Spencer McLain, our VP of EMEA.