It’s a bit of an understatement to say that it’s been a tough year: the pandemic, the lockdowns, the disruption of Brexit.
But now comes another challenge for retailers in the UK and across much of Europe: The long-coming enforcement of Strong Customer Authentication, as required by the PSD2 payment regulation. After years of anticipating and years of delays, enforcement has started in most countries and will follow in the UK on Sept. 14. And this time it really is coming, though, given the recent history, I forgive you for not believing me.
But do me a favor: File this away, because in the following paragraphs I’m going to lay out what the SCA requirement in PSD2 is, how as an online retailer it could upend your business and what you should do about it.
First, what it is: PSD2, or the Payment Service Directive 2, is a far-reaching payment regulation covering businesses involved in online transactions in the European Economic Area. European Union authorities first passed the directive five years ago as a way to open banking to more competition and better protect consumers and merchants when it comes to online fraud.
All good in theory, but as is nearly always the case, efforts to curtail fraud come with the potential to add friction along the buying journey — friction that frustrates consumers and results in lost sales and lost customers for retailers.
There is still time to get seamless SCA right
Fortunately, for UK merchants there is still time to take steps to seize the upside of SCA without suffering the downside of a considerable revenue hit.
Enforcement of PSD2 was originally set to begin on Sept. 14, 2019. But it turns out, PSD2 and its SCA requirements are complicated and involve cooperation among diverse and complex organizations and governments. And, so, the delays.
Like any complicated legislation worth its weight, PSD2 comes with plenty of exceptions, exemptions and ambiguity. We’ll get to several. But since people have been writing about PSD2 for five-plus years, there is plenty of general reading out there.
I’d prefer to focus on the regulation’s SCA requirement, which is of the greatest interest to retailers — or should be. Simply put, SCA requires a rigorous two-factor identification regimen for online transactions. The consumers must be authenticated by two out of three of the following:
- Something the user knows (like a one-time passcode)
- Something the user has (like a mobile device)
- Something the user is (fingerprint, facial recognition, typing behavior)
So, how to prepare for this new way of doing business? My broad advice is to take a deep dive into your own business to understand what SCA means to your enterprise. As you do, think of your approach to SCA as a potential differentiator, a competitive advantage, because done properly, it can be both. And I’d be remiss if I didn’t mention that Signifyd can help with this challenge. We’ve built up tremendous expertise and a product, Seamless SCA, that provides a unified fraud prevention and SCA solution that removes liability from merchants and provides a friction-free experience for merchants’ customers. More about that in a minute.
SCA is now being enforced across much of Europe and is coming to the UK this fall. Learn from the experience of others and hear Signifyd’s Shagun Varshney and Forrester’s Jacob Morgan as they dive into winning exemption strategies and some other elements of Varshney’s six-point SCA checklist.Register Now
Six steps to friction-free customer experience with SCA
First, I need to emphasize that the time to act is now. SCA will have huge implications for your business. And it is coming to the UK as sure as day follows night — just not on as predictable a schedule. With that in mind, I’ve compiled a pre-SCA checklist, a to-do list to start getting SCA done.
- Believe. Shift from denial to action. Do whatever you need to do to develop an it’s-coming mindset. Repeat it over and over. Write it on the bathroom mirror. Submit to a tasteful, but prominent tattoo, when it’s safe to do so. SCA is coming. And if you are not prepared, you will be turning away good customers — guaranteed.
- Become a Ph.D. in 3DS. You want 3D Secure 2.2. While EMVCo’s 3D Secure is the established authentication protocol to support online credit and debit card purchases in Europe, not all 3D Secure is created equal. The 3D Secure version that many retailers are familiar with is not up to the task. Payments consultancy CMSPI found that using 3D Secure version 1 as the backbone of SCA is leading to abandonment rates of 25% and higher across European markets where SCA is being enforced.
That compares to abandonment in the single-digit percentages before SCA. The consultancy also found that SCA-triggered step-ups could result in an authentication process taking 60 seconds to two minutes, an eternity for an online shopper attempting a purchase.
And when forced to wait, consumers today don’t. Signifyd’s latest consumer sentiment survey found that 46% of UK consumers find the current state of two-factor authentication frustrating enough that they are somewhat or very likely to give up on a transaction that requires it. The latest version of 3DS version 2.2, however, is made for modern ecommerce and accommodates SCA’s requirements. While version 1 passes 15 fields of data to your bank for authentication, version 2 passes nearly 10 times that many. While version 1 cannot accommodate exemptions allowed by SCA; 2.2 can. (We’ll get to why exemptions are vitally important later in the checklist.). In the event that you believe a transaction is exempt and your bank doesn’t, 3D Secure version 1, won’t allow for a soft decline, or an appeal of the decision. 3DS version 2.2 does. Version 1 requires a shopper to open a browser, even on mobile devices, in order to provide authentication. Version 2 is mobile-ready. How long do you think that customer will work at buying something from you?
- Check out your average basket size. Remember those exemptions I mentioned. They are what can make the difference between SCA being a nightmare and SCA being a manageable piece of your business. SCA comes with its own abbreviations — TRA, for instance. TRA, or Transaction Risk Analysis is your friend. TRA allows for exemptions to SCA based on your fraud rate (and your payment service provider’s, which will get to in a minute). If you’re fortunate enough to have an astonishingly low fraud rate of .01% or less, most purchases under €500 are exempt from SCA. A fraud rate under .06% and you’re good for under €250; under .13% and purchases less than €100 are exempt.So, you can see that keeping your fraud rate low is key. One note: The exemptions only apply to low-risk orders, so if the order comes with signals indicating fraud, SCA is back in play.
But that’s only half of it. Understanding your average order value and what causes that to fluctuate is also key. If, for instance, your orders are rarely over €500 and you’ve got fraud under control, maybe your SCA procrastination was well spent. The new requirement will have little, if any effect on your life, unless your business model changes. The same reasoning goes down the line to the €250 and €100 benchmarks.
- Mind your fraud rate — and your payment service provider’s. So, based on No. 3, you probably knew this was coming. Obviously, if exemptions are key and your fraud rate is key to exemptions, you better have a good idea as to what your fraud rate is and what could affect it. And not only mind your fraud rate, of course, but actively work to bring it low and keep it low. As I said, reducing fraud can come with the unintended consequence of adding friction to the buying journey. When approaching fraud, it’s best to avoid a defensive posture and embrace the notion of optimizing revenue by maximizing the number of orders you ship while sifting fraudulent orders out of the mix.That worldview has spawned an industry of artificial intelligence-driven fraud solutions that use constantly learning machines to automate order flow by sorting fraudulent orders from legitimate orders in milliseconds. Again, choose carefully. Not all AI-based fraud solutions work the same way.And while you’re studying your fraud rates, be sure you understand the fraud rate of your payment service provider (often your acquiring bank) as well. SCA is a team sport and in order for your business to be eligible for exemptions under TRA, your bank’s fraud rates must also fall under the .01%, .06% and .13% limits.
- Get into your payment service provider’s business. Am I becoming too predictable? Yes, you need to have a serious talk with the payment service provider (PSP) that handles your credit card transactions. As I said earlier, your bank needs to be taking fraud as seriously as you do. The Transaction Risk Analysis assesses both the merchant and the PSP the merchant uses. So, know your PSP’s fraud rate and understand its performance in fraud prevention and protection over time.
At least as important, is your PSP’s 3D Secure capabilities.Remember all those delays of SCA (which are coming to an end, I promise you)? One major reason regulators put off enforcing the regulation is that banks and other PSPs were not prepared to process SCA transactions. They did not have updated versions of 3D Secure in place. If you’ve forgotten why that’s important, review No. 2 on the checklist.
It is unlikely that acquiring banks and other PSPs will fall short in either category — fraud rates and updated 3D Secure — for long. Those that are behind now will either upgrade quickly or find themselves relegated to irrelevance.
- Know where your customers are coming from. Literally. It makes a big difference when it comes to SCA because of the somewhat inelegantly named “one leg out” exclusion. In order to be subject to SCA, the shopper’s credit-card-issuing bank and the merchant’s acquiring bank must both be in the European Economic Area. So if the overwhelming majority of your conversions come from customers in the United States, China, Canada, Turkey, Switzerland or any country outside the EEA, chances are those transactions are not subject to SCA. Much like the merchants whose average order value and fraud rates make SCA less relevant, the new regulation might not be as big a part of your life as you initially thought. The caveat here, of course, is that you still need to come up with a way to handle those orders subject to SCA in as frictionless and secure a way as possible. That said, knowing exactly what your order mix by country is, is the first step in plotting a strategy.
Now, about performing SCA in as frictionless and secure a way possible: Signifyd’s Payments Compliance solution’s Seamless SCA allows merchants to conduct SCA in the background while customers shop on their sites. The solution measures device token information to satisfy the “something the customer has” element of SCA. And it uses biometric information to satisfy the “something the customer is” element. Seamless SCA’s 3DS 2.2 capabilities make sure a merchant’s payment provider and a customer’s issuing bank get the necessary information to authenticate the transaction.
That leads to great results. Consider the experience of Signifyd customer Emma mattress. it recovered an additional 6.4% in revenue because of higher-order approval rates and lower incidences of cart abandonment.
On top of all that, Signifyd provides protection across the entire buying journey whether SCA is involved or not. Signifyd’s Commerce Protection Platform provides guaranteed fraud protection on all approved orders and its Abuse Prevention solution automates chargeback management and extends the financial guarantee to the complete range of chargebacks.
So think of this six-point checklist as a decent start to making your SCA life easier and more successful. Like so much in life, sometimes getting started on making a change is the hardest part. And also like much in life, sometimes actually making that change works out far better than you ever imagined.
Learn more about SCA by attending the Forrester and Signifyd webinar, “Creating a Winning SCA Strategy in 2021.