Risk professionals and retail leaders for months have been fixated on the new strong customer authentication (SCA) requirements that arrived with PSD2 — and rightfully so.
The new payments regulation, set for September enforcement in the UK, is a once-in-a-generation change with the potential to massively disrupt an enterprise or to push an enterprise ahead of its competitors when it comes to customer experience.
But while SCA itself will be a vital pillar of protection for merchants and consumers alike, there is more to fraud and more to fraud protection then deploying a high-quality SCA solution. It is not, as some have mistakenly assumed, the only fraud solution a merchant will ever need. First, many transactions are not subject to SCA. And second, maintaining a low fraud rate is vital for providing a top-notch customer experience in the time of SCA.
Sounds convenient, I know, coming from a product manager at one of the world’s leading fraud protection vendors, but hear me out. Having a best-in-class fraud protection solution is more important than ever in the SCA age.
- European regulators approved SCA as a way to better protect online retailers and consumers. But a significant number of transactions are not subject to SCA and therefore invite fraud.
- Having a top-flight fraud protection solution is a key to being able to provide customers with a top-notch buying experience in the SCA era.
- Fraudsters are entrepreneurial. They will find new ways to take advantage of merchants when old standbys are shut down by regulations like SCA. They will turn to friendly fraud, or policy abuse and return abuse, for instance.
SCA calls for a more robust two-factor authentication
The promise of SCA is that it will better protect consumers by routing many transactions through 3D Secure and requiring two-factor authentication that calls for a shopper’s identity to be confirmed through two of the following:
- Something the user knows (like a one-time passcode).
- Something the user has (like a mobile device).
- Something the user is (fingerprint, facial recognition, typing behavior).
It’s important to note that there is nothing stopping fraudsters from attacking transactions protected by 3D Secure alone — and they do. The security protocol does shift liability from the merchant to its bank, but if a bank is hit by fraud often enough, it will protect itself by declining more orders.
That’s the quick and dirty, but the wonders of SCA lie in the details. And those details mean that a robust fraud protection solution is the bedrock of a successful SCA strategy. In fact, exceptional fraud protection is necessary because:
- Low fraud rates are required for key exemptions that allow consumers and merchants to bypass SCA.
- SCA does not cover every transaction a merchant will process — far from it.
- SCA deals head-on with payment fraud. It does not protect a merchant from friendly fraud or policy abuse by consumers.
- Fraudsters are innovative and entrepreneurial. SCA may prove a barrier initially, but professional fraud rings will find an alternate path of attack.
Let’s start with exemptions, as they are the key to providing a seamless SCA experience for online customers. Exemptions allow orders to be approved without undergoing SCA based on the notion that the transaction isn’t very risky or wouldn’t be very costly if things go wrong.
Skipping SCA is a highly desirable outcome. As you can imagine, requiring the stricter authentication process can introduce friction to the checkout process. In fact, the early reviews are not good.
Payments consultancy CMSPI has studied European markets where SCA is already being enforced and found cart abandonment rates of 31% in Europe. That’s a lot of business to turn away. Much of the friction leading to those horrid abandonment rates is caused by merchants relying on an outdated version of 3D Secure. The newer version 2.2 is expected to yield big improvements.
Why require customers to confront SCA when they don’t have to?
Nonetheless, why put a customer through two-factor authentication when it’s not necessary? Hint: customers don’t like being inconvenienced. In fact, in a consumer survey conducted for Signifyd by market research firm Upwave, more than 37% of UK consumers said they’d been unable to complete a transaction because of new online security procedures. Moreover, more than 46% said they were very or somewhat likely to give up on transactions that require two-factor authentication.
And so, exemptions. The important thing to remember about exemptions is that a low fraud rate is the price of admission. Let’s break the exemptions down and consider the role of best-in-class fraud protection in making them possible and secure:
- Low-risk and low-value transactions: Online orders of €30 or less that arrive without fraud red flags do not need to clear SCA. By definition, these orders are getting less scrutiny than orders of above €30, which makes them attractive targets for fraudsters. Having a high-quality fraud solution in place will protect these orders from fraud. Given that a business dealing in basket sizes under €30 are likely doing a high volume of low-cost orders, a solution that provides automated decisioning will save the business from being consumed by conducting manual reviews.
- Recurring transactions: Subscription payments for the same amount made to the same merchant are exempt from SCA, once the first payment clears SCA. That’s great, as far as it goes. But once that first transaction is processed, the following transactions are not subject to SCA and are vulnerable to fraud — unless a fraud solution is in place.
- Trusted beneficiary payments: Consumers can select specific merchants and ask their card-issuing bank to allow purchases from that specific merchant to be processed without SCA. The key here is, the consumer asks for the exemption and the bank can say no for any reason. If the bank says yes, a trusted beneficiary payment becomes a transaction that is not protected by SCA, again making those transactions targets for fraud. It doesn’t take a lot of creativity, for instance, to come up with potential targets. Consider Amazon’s huge customer base and the frequency with which Prime customers buy on Amazon. It’s the perfect recipe for a trusted beneficiary request. And a perfect merchant for a fraud ring with stolen credentials to visit, because SCA is less likely to be a barrier.
- Transaction risk analysis (TRA): Having a top-flight fraud prevention solution is exactly what TRA is all about. The exemption allows merchants with low fraud rates, using acquiring banks that also have low fraud rates, to bypass SCA on a sliding scale of order values. Those with an exceedingly low fraud rate of .01% can skip SCA on orders under €500. If a merchant’s fraud rate is under .06% they’re good for under €250. A rate under .13% means purchases less than €100 are exempt from SCA. Again, the merchant’s acquiring bank must match those fraud-rate limits.
The limits of SCA’s fraud protection are becoming clear now that enforcement has begun in much of Europe. Olivier Erol, the fraud manager at Paris-based Back Market, which sells refurbished personal electronics, said the biggest lesson he learned in 2020 was SCA’s limitations.
“I have learned that strong authentication is not a full guarantee to stop fraud,” he said.
Exclusions provide another set of circumstances to avoid SCA
Beyond exemptions, there are a host of scenarios under which SCA does not come into play, which leaves merchants vulnerable to fraud unless they have a solution in place. We live in a global economy. We live in a time when consumers shop the way they want to shop when they want to shop.
The new SCA regulations apply to merchants within the European Economic Area. But not all customers who shop with merchants in the EEA live in the EEA. Their purchases are subject to an SCA exception known as the “one leg out” exclusion. If either the issuing or acquiring bank involved in a transaction is outside of the EEA, SCA does not apply. Therefore, those orders are protected only by whatever fraud solution the merchant has in place.
Certain types of orders — mail order and telephone — are not subject to SCA, meaning the next call-in order a retailer gets could well be from a fraudster. Transactions made with anonymous payment instruments — think prepaid gift cards — are not subject to SCA. Guess who just became big fans of prepaid gift cards?
Finally, consider the challenge of non-payments fraud, sometimes called friendly fraud. Signifyd’s Ecommerce Pulse data showed a dramatic increase in false claims by consumers that ordered packages never arrived or that orders that did arrive were not as promised.
Signifyd measures the rise and fall of friendly fraud with its Consumer Abuse Index. The index tracks the change in the number of chargebacks fought by Signifyd and successfully won over time. The index assumes winnable chargebacks were likely to have been false claims.
Friendly fraud spiked dramatically during the COVD-19 pandemic
The Consumer Abuse Index ended 2020 at a level five times what it was before the COVID-19 pandemic set in. Another measure of the increase in friendly fraud was evident in Signifyd’s consumer survey. More than 36% of UK consumers surveyed said they’d falsely claimed that a legitimate charge on their credit account was fraudulent. Just over 30% admitting to falsely claiming that an order never arrived or that an order was unsatisfactory when it did arrive.
Signifyd asked a question similar to the recent question about missing or unsatisfactory orders two months before the pandemic was declared. At that time, only 14% of respondents said they had falsely claimed that a package had never arrived or that it arrived in poor condition.
Obviously, SCA is not going to detect friendly fraud, but a best-in-class fraud and abuse protection solution will.
Fraud rates and risks vary by retailer and even by retail vertical. But as SCA rolls across Europe and becomes enforced in the UK, it is clear that SCA is not a be-all fraud solution. In fact, in the SCA era, it’s clear that merchants need a high-quality fraud protection solution more than ever.
Okan Ozaltin, Signifyd’s general manager, payment solutions, contributed to this report.
Photo by Getty Images
Looking for the best way to comply with SCA? We can help.