This clear and concise article by Shagun Varshney identifies the many fraud vectors that remain despite EU regulations that mandate SCA. The concept of strong authentication is simple and compelling, yet the real world has punched many holes in that concept. The payments industry has made Frictionless Payments the new vision–SCA is the opposite.
Now even policy wonks recognize that SCA for every payment is insane. So the SCA mandate has been recalibrated to recognize multiple confusing exemptions including the statistical. Prove you can keep fraud below a specific threshold and skip the challenge.
Not discussed in this article is the issue of user complexity when every issuer implements a different challenge methodology for different channels. Password for account access, secret phrase for call center, biometric for bill pay, and OTP for payments. It will almost certainly get worse before consumer’s demand better and that suggests an opportunity for issuers to simplify the process to enhance their top of wallet position:
“That’s SCA in simple terms but the wonder of the regulation lies in the detail. And on closer inspection of what SCA stipulates, it is clear that a robust fraud protection solution will be the bedrock of a merchant’s successful SCA strategy because:
1. Low fraud rates are required for key exemptions that allow consumers and merchants to bypass SCA.
2. SCA does not cover every transaction a merchant will process — far from it.
3. SCA deals head-on with payment fraud. It does not protect a merchant from friendly fraud or policy abuse by consumers.
4. Fraudsters are innovative and entrepreneurial. SCA may prove a barrier initially, but professional fraud rings will find an alternate path of attack.
Let’s start with exemptions, as they are the key to providing a seamless SCA experience for online customers. Exemptions allow orders to be approved without undergoing SCA based on the notion that the transaction isn’t very risky or wouldn’t be very costly if things go wrong.
Skipping SCA is a highly desirable outcome as stricter authentication measures have the potential to disrupt the customer’s online checkout experience. A recent study into European markets where SCA is already being enforced found basket abandonment rates of 25% and higher by country. Much of the friction leading to those horrid abandonment rates is caused by merchants relying on an outdated version of 3D Secure. The newer version 2.2 is expected to yield big improvements.
Why require customers to confront SCA when they don’t have to?
Nonetheless, why put a customer through two-factor authentication when it’s not necessary and when customers don’t like being inconvenienced? In a recent consumer survey, more than 37% of UK consumers said they’d been unable to complete a transaction because of new online security procedures. Moreover, more than 46% said they were very or somewhat likely to give up on transactions that require two-factor authentication.
And so, exemptions.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group