Every time a cardholder swipes their credit or debit card, the business has to first authenticate the buyer’s identity. This is no easy task in the card-not-present space. After all, how do merchants verify that the people on the other end of these transactions are the individuals they claim to be if the buyer and seller never actually meet?
New Strong Customer Authentication (SCA) standards which are now in place in the European market are aimed at addressing this issue. The operative idea is to set consistent and reliable standards for determining a buyer’s identity. The rollout of SCA protocols will continue through 2022 (at least, as of this writing), with different effective compliance dates applying in different countries and regions.
Under SCA requirements, sellers must use at least two of the following three methods to verify their customers:
- Possession: Something the user possesses, like the CVV number printed on a payment card.
- Knowledge: Something the user knows, like a PIN code.
- Inherence: Something physically tied to the user’s identity, like a fingerprint scan.
I’ve discussed before how merchants may benefit from optimizing their response to SCA compliance requirements. Regardless, we can’t deny that this places an extra burden on businesses.
As noted in a recent report published by Fi911, the requirements may have broader, more far-reaching effects than most merchants realize. Test data cited in the report shows that only 76% of browser-based transactions could be verified using Strong Customer Authentication. When we look to app-based purchases, the figure drops to 48%. The data also shows that 14% of browser-based shoppers, and 25% of app-based ones, abandoned their purchases in response to SCA prompts.
SCA Exceptions & TRA Exclusions
The test data validates some preexisting concerns among merchants about how Strong Customer Authentication will impact checkout friction. Another concern is the prospect of increased confusion about liability and applicability in different regions or with different transaction types. Plus, there’s the worry that more focus on SCA might result in complacency in other areas of fraud management.
Fortunately, there are several exemptions which may alleviate these concerns to some degree. Merchants are not required to deploy SCA if the transaction in question:
- Is merchant-initiated, as in the case of a subscription rebill.
- Is conducted by mail or by phone.
- Involves a prepaid card.
- Is a “one-leg” transaction; both parties must be in a territory in which SCA rules apply.
- Has a total value of less than €30.
- Involves a merchant that has already been whitelisted by the cardholder.
- Involves a corporate or virtual card.
There is also Transaction Risk Analysis, or TRA, which can be a great asset for merchants. TRA allows for real-time behavioral observation and analysis during a transaction. The technology examines key fraud indicators. It gauges each transaction for general risk level without impacting cardholder friction.
TRA is a great asset, but it’s deployed at the bank level. Thus, whether or not a merchant can take advantage of it depends on their acquirer’s track record for fraud prevention. For example, if a merchant wants to deploy TRA for a transaction valued at less than €100, they would only be allowed to do so if the bank has maintained a fraud incident rate below 0.13% of total transactions in the previous 90 days. Even stricter standards apply for higher-value transactions.
Taking Additional Steps to Manage Risk
Even with Transaction Risk Analysis and the exceptions outlined above in place, we have to acknowledge that some transaction friction is unavoidable.
Introducing Strong Customer Authentication is naturally going to deter some legitimate buyers. This could be because they are unfamiliar with SCA requirements and are turned off by the additional questions. It may be that they simply don’t want to deal with the extra steps during checkout. The key is to make the best of the situation by leveraging friction more effectively.
It’s possible to stop fraud while still retaining customers. Merchants can streamline processes by reducing other friction points. For instance, some easy fixes include:
- Ensuring against broken or dysfunctional product pages.
- Optimizing website response times.
- Eliminating unnecessary or redundant fields at checkout.
- Proofing page content to ensure against confusing or misleading information.
- Requiring account creation before checkout.
These are just a few examples. There are literally dozens of friction points in the customer experience that might slow down or frustrate buyers while offering no benefit. In addition, using backend security tools like geolocation, velocity limits, and blacklists, all backed by dynamic fraud scoring, can help eliminate fraud without impacting the customer experience at all.
We should also look for opportunities for closer collaboration between merchants and banks. The merchant’s ability to deploy TRA depends on the bank. Thus, banks have a direct incentive to keep fraud incidents at a minimum to continue offering TRA as a value to merchants. This could come in the form of fraud prevention education, risk mitigation counseling, or additional resources to deal with threats directly.
Acquirers and merchants are on the same side during a transaction. Closer collaboration between the two parties to eliminate fraud wherever possible translates to a win-win for everyone involved.