PSD2 strong customer authentication regulation has created a legislative framework that secures new ways to exchange payments but under stricter regulations. Strong Customer Authentication (SCA) is a requirement of the second Payment Service Directive (PSD2 authentication requirements) in the UK and the EU. As PSD2 SCA solutions have been enforced across Europe, extra layers of fraud protection are implemented prior to payment authorisation. Online shoppers are required to authenticate themselves through:
- Biometrics (i.e. iris, fingerprint). Something inherent and unique to the buyer.
- Something only the buyer knows (i.e., PIN or password)
- The specific device that is used to make the purchase.
Unfortunately for the merchants, 3D Secure anti-fraud layers create friction that slows down checkout time. This generates higher abandonment rates.
Stricter regulatory requirements are challenging to many stakeholders in the payments business — particularly for merchants that struggle with a potential loss of revenue and customer loyalty. There is a widespread misconception amongst retailers that as long as all transactions are sent via 3DS2, they don’t have to worry about compliance, because the liability shifts to the acquiring banks. With card abandonment rates over 25%, sending all transactions over 3ds payment is counterproductive. Other merchants choose to request blanket exemptions, which exposes merchants to increased chargeback fraud and liability risks.
It is important to know that not all transactions require SCA
When transaction types are out of scope, SCA is optional. In other cases, exemptions may be applied. Merchants have to be aware of when and how exemptions can be used to minimise disruption while protecting their customers and their own business from fraud. This is where it can get rather complex. It is crucial for a merchant’s business to optimise the buyer’s experience by minimising friction and reserve SCA payments only for orders when required. Therefore, merchants must understand when to apply for exemptions and when transactions are out of scope.
When are transactions out of scope?
- Merchant Initiated Transactions (MIT)
- Mail Order Telephone Order (MOTO)
- One-leg-out Transactions
- Gift Cards
SCA exemptions apply when:
- Transactions are considered low risk, based on a Transaction Risk Analysis (TRA) assessment
- Low-value transactions (below €30)
- Trusted Beneficiary Lists (SCA only on the first transaction)
- B-to-B transactions made from secure corporate environments
- Recurring payments
The importance of an intelligent payment SCA strategy cannot be overstated. If a transaction is in scope and no exemption can be applied, SCA is required and the customer is subjected to 3DS as part of the checkout flow. If this protocol is not followed, the transaction will be declined.
What is the best SCA strategy for retailers?
Retailers that want to minimise friction, create a seamless customer experience and mitigate compliance – and chargeback risks have an option. Regulatory technology (regtech) to the rescue. Regtech solutions are developed to offer merchants, (acquiring) banks and fintechs one integrated risk management, transaction monitoring and billing solution to optimise the entire process.
Exemptions and out-of-scope transactions are recognized by the system before authorization (pre-auth). If 3D Secure is not required, this will result in significantly reduced abandonment rates and optimised sales conversion. Transactions are automatically monitored, risk analysis is performed instantly, and fraudulent orders are not authorised. Regtech solutions use artificial intelligence and machine learning to minimise false positives. This reduces the risk of flagging low-risk transactions as high-risk. Reduced false declines significantly improve conversion rates.
Exempted and out-of-scope transactions are intelligently risk scored and automatically routed down a frictionless checkout path while protecting the retailer’s business against compliance and chargeback risk. With Dynamic Exemption Management, merchants can maximise the number of transactions deemed SCA-exempt for routing down a friction-free path to payment, enabling them to boost their authorization rates under PSD2 requirements.
On the other hand, non-exempted, in-scope transactions are risk scored and assessed with biometrics, device fingerprinting, and behaviour analysis tools and if considered necessary, red-flagged. Integrated, user-friendly billing management will give merchants complete visibility into SCA exemption rates and liability ownership.
It is crucial to their business that merchants, payment service providers (PSPs), and acquirers optimise their SCA strategy. With a proper regtech solution in place, stricter regulations do not have to lead to a loss of business. An intelligent SCA strategy leads to optimised regulatory compliance, solid risk management, a seamless buyer experience and growing customer loyalty.
Are you curious about what regtech solutions can do to improve your SCA strategy?