How to prepare for Strong Customer Authentication (SCA) regulation
There’s little doubt that web sales represent an ever-increasing revenue channel for most UK retailers.
In fact, eMarketer expected online retail spend to increase by 14.9% in 2018, to almost £96 billion. However, Strong Customer Authentication (SCA) is coming fast and carries the potential to disrupt online retail sales from September onward.
Here, Paul Davidson, project specialist, banking and payments at Expense Reduction Analysts, explains the new regulations and why retailers need to make sure their payment gateway doesn’t become a limiting factor for ongoing sales.
In today’s market environment UK retailers are having to stay abreast of multiple pressure points. There is uncertainty surrounding Brexit, disruption from innovators such as Amazon and changing consumer buying habits. They can almost be forgiven for not pointing their focus on the incoming regulations around strong customer authentication (SCA) for online payments. SCA presents some unique challenges for retailers and customers alike, with the potential to directly impact sales if authentication is not frictionless.
What is SCA?
The Revised Payment Services Directive (PSD2) regulation was officially published by the European Commission in December 2015 and follows on from the First Payment Services Directive (PSD1), which was implemented in 2009. If both the cardholder’s issuing bank and the merchant’s payment provider are located within the European Economic Area then SCA applies to any customer-initiated purchases that take place.
Under SCA, digital commerce transactions in Europe must be verified by two independent forms of authentication starting on September 14, 2019. EMV 3DS (3D-Secure) will be the primary vehicle for payment providers and card issuers to implement SCA.
3D Secure Considerations
Biometrics such as facial and fingerprint recognition are useful channels for authenticating mobile transactions, but the fall-back method will be 3D Secure (3DS, branded as Verified by Visa, MasterCard SecureCode and American Express Safekey). 3D Secure is an authentication scheme that requires the cardholder to enter an additional password when they make an online purchase, usually a random selection of three digits from a specified passcode. With the current version of 3DS, only 5% of 3D Secure transactions require password input.
By September, the new version of 3DS – 3DS 2.0 – will be mandatory for all online payments. Enabling 3DS 2.0 helps cover SCA requirements. A payments integration that supports 3DS 2.0 should become an industry standard approach to comply with the new EU laws. 3DS 2.0 aims to match that level of only 5% transactions requiring three-digit input, but it depends on both the merchant and the payment gateway providing sufficient information for effective risk assessment by the card issuer.
Avoid online shopping cart abandonment
Some sources believe that businesses which continue to use the old version of 3DS after 14th September may see passwords required for nearly 50% of transactions, which adds an unexpected friction point for consumers expecting a seamless payment experience. For online retailers, reducing friction during the checkout process is crucial for avoiding order abandonment and increasing revenue. According to the Baymard Institute, the current average online shopping cart abandonment rate is currently 69%.
Fortunately, SCA regulations allow for some exemptions which may only require cardholders to authenticate themselves only when a transaction is highly risky. However, the best way to ensure these transactions are not deemed the high risk is to adhere to the new 3DS 2.0 standards, which reduces the probability of a transaction triggering extra authentication.
Consumer sentiment causes retailers to act fast
FICO, the data analytics company, vetted four leading European e-Commerce countries to gauge consumer awareness and attitudes toward SCA. The chosen countries were the UK, Germany, Spain and Sweden. When asked about current levels of security checks for card payments, nearly 70% of UK respondents indicated there are already enough or too many.
Offering customers a wide choice of authentication methods is a good start to build a customer-centric SCA strategy, but retailers must carefully consider the authentication methods they offer. The success of authentication is dependent on multiple factors, which can change even depending on the type of device the customer is using to buy, and the location they are buying from.
This is where a payment gateway comes in – one able to manage online transactions and optimise the use of exemptions. Where security steps cannot be avoided, they should offer the consumer attractive and easy ways to confirm their identity.
Gateway to the future
From our own discussion with financial stakeholders, some gateways have already developed engines to do just this. Others tell us that they are ‘looking at their strategy’. This is a critical element for retailers, the quality of their chosen gateway solution will be vital to reducing friction in online transactions from September onward.
However, this is only the beginning, 3DS 2.1 is just around the corner and aims for smoother information flows and decision making. Even 3DS 2.2 is under review at present to bring phone transactions within the SCA regulations.
There is a multitude of information available in the run-up to the September implementation of SCA. Waiting until the deadline will mean surrendering sales from day one under the new rules. Retailers need to consult with experts and their financial providers to assess their current gateway to ensure they can get out ahead of the looming deadline. That way they can turn SCA into an opportunity to offer a frictionless online experience beat competitors and ultimately drive sales.