Turning SCA into a strategic advantage
David Jeffrey, Barclaycard Director of Fraud and Security Products, outlines how strong customer authentication (SCA) will revolutionise the customer payment experience. To find out how we can support your business, call our payment experts on 0800 096 8237*.
The new regulatory framework for European online payments, PSD2, is a response to how digital technology has both transformed the payments industry and increased the opportunities for cybercrime. As card-not-present transactions have increased, and eCommerce has been joined by mCommerce, fraudsters have been quick to follow the technology curve.
The challenge now is for payment service providers, merchants, issuers and regulators to create a secure environment for digital payments without increasing friction. Strong customer authentication (SCA) is the initial answer.
The new security standard has been designed to tackle rising levels of online fraud and safeguard data in a way that streamlines payments while, crucially, ensuring that customer experience doesn’t suffer.
SCA is designed to tackle rising levels of online fraud and safeguard data while ensuring that customer experience doesn’t suffer.
A reflection of today’s mobile world
SCA is based on the two-factor principle, which means that authentication requires two out of three possible security checks. Namely: ‘something you know’, ‘something you are’, and ‘something you have’.
Examples include: ‘something you know’ as familiar username/password approach, while ‘something you are’ adds biometrics to the verification process, and ‘something you have’ is a phone, card or other physical item that belongs to you. The inclusion of biometrics, such as fingerprint or iris recognition, reflects the realities of today’s mobile world and the need to make mCommerce as seamless as possible.
SCA applies to all customer-initiated online transactions, but among the six possible exemptions to the need for 2-factor authentication is one for payments that are deemed as low value (under €30). Although SCA applies only to transactions in the European Economic Area (EEA), where both the issuer and acquirer are in the region, the principle of ‘best endeavours’ must be followed when one of the parties is outside the EEA. Most card payments and all credit transfers will require SCA.
Implementing SCA with 3-D Secure
The latest version of 3-D Secure (3DS2) provides a robust and versatile infrastructure to implement SCA. 3-D Secure is a protocol that has been used for many years, but it has been rendered obsolete by the technology changes and security risks that necessitate strong customer authentication.
Upgraded to combat cybercrime and address today’s world of multi-channel payments, 3DS2 is capable of drawing on more than 100 data points to improve risk-based decision-making and help determine whether a transaction requires full authentication or not.
Exemptions and frictionless flows
From a merchant’s perspective, stronger authentication might be viewed as a good for security but bad for frictionless flows. However, 3DS2 is far more dynamic and streamlined than 3DS1, which was not mobile-friendly and suffered from pop-up windows, and it can be applied in a way that improves customer experience. Because SCA recognises the importance of balancing strong security with the need for frictionless flows, exemptions are possible when certain criteria are met.
The winners in the new payments landscape will be those who apply exemptions judiciously, using authentication only when necessary.
In a ‘card present’ scenario, the convenience of contactless at point-of-sale would remain, however customers will be asked to complete a Chip and PIN transaction when they reach the maximum total contactless spend, or have exceeded the card issuer's limits for consecutive contactless transactions since they were last authenticated. Exemptions are also available for other transactions, such as recurring payments (eg, subscriptions); trusted or ‘whitelisted’ merchants; and for unattended terminals.
In addition, they can be sought through transaction risk analysis (TRA), a process where risk assessment is based on context data such as geolocation or behavior patterns and transactions are deemed to be low risk.
Finally, certain transactions such as mail order and telephone order (known as MOTO) are automatically ruled out of scope and not subject to SCA.
Turning SCA into a strategic advantage
Ecommerce transactions via mobile will soon overtake traditional eCommerce volumes1. Consumers today expect to use mobile devices to engage with businesses and transact seamlessly, but that can’t happen if there are too many security hurdles. As eCommerce in its various forms expands, the success of SCA will depend on the careful and pragmatic interpretation of exemptions.
The winners in the new payments landscape will be those who apply exemptions judiciously, using authentication only when necessary. Merchants are likely to seek payment service providers with the right infrastructure to optimise payment journeys in accordance with SCA while achieving a positive customer experience.
It remains to be seen how SCA will perform once it is implemented. There may be further refinements before and after the transition, and exemptions will vary across different industries, acquirers, issuers and countries. But as a security initiative for the mobile era, SCA can, if used pragmatically, achieve the desired balance between strong security and frictionless payments.
1 Study: Mobile commerce to overtake e-commerce by 2019 https://www.mobilemarketer.com/news/study-mobile-commerce-to-overtake-e-commerce-by-next-year/532125/
What’s your Strong Customer Authentication strategy?
Like all regulation, Strong Customer Authentication (SCA) brings new challenges. But with the right strategies in place, merchants can be compliant, help reduce fraud and offer secure payments. For more information, see our whitepaper: Demystifying the payment landscape: PSD2, SCA and the security challenge.
Speak to our payment experts today