Turning SCA into a strategic advantage

SCA is based on the two-factor principle, which means that authentication requires two out of three possible security checks. Namely: ‘something you know’, ‘something you are’, and ‘something you have’.

Examples include: ‘something you know’ as familiar username/password approach, while ‘something you are’ adds biometrics to the verification process, and ‘something you have’ is a phone, card or other physical item that belongs to you. The inclusion of biometrics, such as fingerprint or iris recognition, reflects the realities of today’s mobile world and the need to make mCommerce as seamless as possible.

SCA applies to all customer-initiated online transactions, but among the six possible exemptions to the need for 2-factor authentication is one for payments that are deemed as low value (under €30). Although SCA applies only to transactions in the European Economic Area (EEA), where both the issuer and acquirer are in the region, the principle of ‘best endeavours’ must be followed when one of the parties is outside the EEA. Most card payments and all credit transfers will require SCA.

The latest version of 3-D Secure (3DS2) provides a robust and versatile infrastructure to implement SCA. 3-D Secure is a protocol that has been used for many years, but it has been rendered obsolete by the technology changes and security risks that necessitate strong customer authentication. 

Upgraded to combat cybercrime and address today’s world of multi-channel payments, 3DS2 is capable of drawing on more than 100 data points to improve risk-based decision-making and help determine whether a transaction requires full authentication or not. 

From a merchant’s perspective, stronger authentication might be viewed as a good for security but bad for frictionless flows. However, 3DS2 is far more dynamic and streamlined than 3DS1, which was not mobile-friendly and suffered from pop-up windows, and it can be applied in a way that improves customer experience. Because SCA recognises the importance of balancing strong security with the need for frictionless flows, exemptions are possible when certain criteria are met. 

In a ‘card present’ scenario, the convenience of contactless at point-of-sale would remain, however customers will be asked to complete a Chip and PIN transaction when they reach the maximum total contactless spend, or have exceeded the card issuer's limits for consecutive contactless transactions since they were last authenticated. Exemptions are also available for other transactions, such as recurring payments (eg, subscriptions); trusted or ‘whitelisted’ merchants; and for unattended terminals.

In addition, they can be sought through transaction risk analysis (TRA), a process where risk assessment is based on context data such as geolocation or behavior patterns and transactions are deemed to be low risk.

Finally, certain transactions such as mail order and telephone order (known as MOTO) are automatically ruled out of scope and not subject to SCA. 

Ecommerce transactions via mobile will soon overtake traditional eCommerce volumes¹. Consumers today expect to use mobile devices to engage with businesses and transact seamlessly, but that can’t happen if there are too many security hurdles. As eCommerce in its various forms expands, the success of SCA will depend on the careful and pragmatic interpretation of exemptions.

The winners in the new payments landscape will be those who apply exemptions judiciously, using authentication only when necessary. Merchants are likely to seek payment service providers with the right infrastructure to optimise payment journeys in accordance with SCA while achieving a positive customer experience.

It remains to be seen how SCA will perform once it is implemented. There may be further refinements before and after the transition, and exemptions will vary across different industries, acquirers, issuers and countries. But as a security initiative for the mobile era, SCA can, if used pragmatically, achieve the desired balance between strong security and frictionless payments.