For the European Union (EU) payments industry, Strong Customer Authentication (SCA) is the latest requirement of the revised Payment Services Directive II (PSD2). The amendment requires merchants to use multi-factor authentication, with the goal of increasing transaction security. While this requirement only applies to the EU, it has the potential for global adoption.
To further discuss SCA implementation and its impact on merchants, PaymentsJournal sat down with Kieran Mongey, Manager of Solution Consulting Merchant Retail at ACI Worldwide, and Tim Sloane, VP of Payments Innovation and the Director of the Emerging Technologies Advisory Service at Mercator Advisory Group.
The deadline for SCA implementation
Even though the recording of the podcast was done before the announcement of SCA implementation deadline delay of 6 months organizations should not waste this extended deadline and get more familiar on implementation and exemptions to ensure when the new deadline hits they are ready.
SCA is one of the most talked about points of PSD2, with most of the attention focused on compliance. While some merchants were prepared for the changes, there may have been a bit of confusion for others. Many merchants may have believed that SCA was a concern for issuers and acquirers, not in their control, which is partly true.
“[ACI has] had to bring our merchants to the table in many regards, and really advise them and lead,” said Mongey. “Because at the end of the day, it’s all about, How does a merchant now connect to acquirers and issuers? And how does the checkout page appear in a more frictionless flow? What are the opportunities? What are the risks?”
It’s up to technical providers to educate their customers on the answers to these questions. Unfortunately, it is more than likely that many merchants did not receive any advice and subsequently were unprepared for the change.
The future does look bright, however. While there were a series of issues that prevented many merchants from fully embracing and implementing SCA, it seems those hurdles have cleared.
“We’ve got stability,” assured Sloane. “We’re starting to really understand the statistics associated with using it, which may not be great, but they’ll get better… I would expect to see smoother rollouts along the way.”
The impact of SCA implementation on merchants
Because the SCA implementation is rather new, there is limited data on its impact on merchants. The initial results from countries like Spain and Belgium show that the decline rates for 3D Secure (3DS) have increased considerably under the new connector of an SCA.
“It’s now about trying to get down into the weeds in the details, to establish initiatives to get it back to where it was,” explained Mongey. For instance, instead of the frictionless flow, there have been some growing pains—error codes and declines—in terms of the volume of transactions being pushed through SCA. The problem is that merchants are paying a higher cost per transaction for 3DS, but they cannot guarantee a seamless transaction experience to their customers.
Merchants who have not been proactive about their exemptions strategy are probably taking a hit to their conversions. “It doesn’t necessarily mean that it’s a customer conversion drop,” continued Mongey. “It’s just a different set of reporting. And that can be a misdirection in terms of the reality of the situation.”
Enhanced authentication adoption may extend its reach
SCA and 3DS are not mandated outside of Europe. However, this doesn’t mean that they are not relevant for merchants operating outside of this region. Merchants who choose not to perform 3DS2 and SCA on transactions whenever possible have a higher probability of seeing an increase in issuer-bank declines.
So will the adoption of 3DS2 and SCA extend beyond their European boundaries? Mongey believes the answer is yes, depending on a few factors. “If Visa and MasterCard get the levels right, and the exemption capabilities, then of course it will. I think we have to be more regulated in and [in control of] control fraud.”
3DS 1 failed because issuers authenticated transactions without any data, and acquirers were not held accountable for fraud. The customer experience was at a low, and merchants were not fraud screening because of liability shifts.
With 3DS 2.2 however, authentication is much smoother. Biometrics are just one example of newer authentication technology that helps to provide a more seamless, convenient experience. This, along with other new technology, will ensure a better uptake than its predecessor.
Lastly, there is the possibility that SCA becomes mandatory in more established markets such the U.S. As businesses and regulators continue to guarantee better data security and crack down on fraud, they may find themselves looking for this multi-factor authentication to increase the security of electronic payments.
How can merchants improve implementation issues?
There are several things that merchants who have already implemented 3DS2 can do to improve upon issues they may be experiencing. Talking to merchant connectors, acquirers, and technology providers is a good place to start.
“It’s our job to really optimize that,” said Mongey. “[For merchants], maybe it’s about offering your own authentication, like I mentioned, [or] maybe it’s about offering different payment methods that may not have that kind of element to it now.” It’s crucial for merchants to look at the market and see what’s available and continue to evolve.
It’s also important that merchants assess their payments and conversion rate performance to understand where improvements need to be made. They should consider their fraud and risk strategies as a whole, and look at their acquiring strategy. This will offer more flexibility and allow merchants to be sure they are using acquirers with low fraud rates.
