Strong Customer Authentication (SCA): What It Is and What Merchants Should Expect in 2020
This blog post was originally contributed by Nick Galov from HostingTribunal.com.
Let’s face it — the internet is not the safest place to be.
Even though online security has become more sophisticated over the years, the Web is still fertile ground for all sorts of scams.
To illustrate, online merchants worldwide lose over 7.5% of their annual revenue due to fraud. Imagine someone stealing your December salary every year. It’s almost the same.
With fraud rates being what they are, the European Commission chose to intervene, coming out with a new set of regulations in 2018.
Strong Customer Authentication (SCA) is one of them.
You might be wondering:
“What does sca stand for?”
We’ll tell you all about it.
This regulation will affect online merchants in more ways than one. Even if your store is not based in Europe, SCA might apply to you.
That’s why we are addressing this topic. We will break down what SCA is, whom it affects, what its impact might be, and how to best prepare for it.
Read on so you can ensure SCA doesn’t take you off guard.
I. What is SCA?
As we’ve said, SCA is a new regulation. It is a part of the Revised Payment Services Directive (PSD2).
- Protecting consumers
- Making payments more secure
- Improving the level playing field for payment service providers
- Contributing to a more integrated and efficient European payments market
SCA Basics
This is where SCA comes into play. It compels two-factor authentication for electronic payments. In other words, customers have to prove their identity in two ways before proceeding with payment.
People who use Visa or Mastercard might be familiar with this process of payment methods. You are taken to a “Verified by Visa/MasterCard SecureCode” page where you must type in a password or an SMS code before you can make a transaction.
This makes transactions more secure. It protects both the retailer and the buyer from fraud.
What are, then, the acceptable ways to prove one’s identity?
What Counts as an Authentication Method
SCA defines three acceptable authentication methods. They are knowledge, i.e., something only the user knows, possession, something only the user possesses, and inherence, something the user is.
Don’t worry if this sounds confusing; we’ll give you a few examples.
The elements categorised as knowledge are:
- Passwords
- PINs
- Passphrases
- Secret questions
Possession includes:
- Mobile phones
- Smart watches
- Tokens
- Smart cards
Inheritance encompasses:
- Fingerprints
- Facial recognition
- Voice patterns
- Iris format
The customer must confirm their identity by providing at least two different elements.
How SCA Protects You
One provision is that the customer authentication methods should be mutually independent. In other words, one compromised element should not grant access to the other one.
This makes it more difficult to make fraudulent transactions. Anybody can steal a credit card. What are the odds of somebody both stealing your card and figuring out your password?
Many banks and payment providers have long since implemented two-factor authentication. This is now going to become standard practice, and the guidelines will be stricter.
We’ll explain why in the following section.
II. Why You Should Care
As we’ve said, SCA is meant to make transactions more secure as one of the PSD2 regulations. If you’re worried about fraud, SCA will let you rest easy.
Retailers Against SCA
Yet, some eCommerce website owners are less than thrilled.
Some state — rather fairly — that their security systems provide more safety than SCA. Some retailers also say they are in risk-free niches.
Why should they worry about SCA?
If you’re one of them, we say to you, fair point. You might want to keep reading anyway.
The European Commission is enforcing these ecommerce authentication methods as a one-size-fits-all solution. Even if you are not at risk, SCA still applies to you.
Some retailers might find this unfair. Regardless, they need to prepare for SCA.
Can You Avoid SCA?
Let’s play devil’s advocate, though. What happens if you aren’t SCA-ready?
Good news first:
There are no fines. The burden of being SCA compliant is not on the retailer, so no organization can penalize you.
But that does not mean there are no financial repercussions.
Let’s say a customer wants to purchase a product from you. In compliance with the SCA, their bank requests authorization. Your payment gateway doesn’t support it. In this case, the transaction wouldn’t go through.
You’ve lost a sale, just like that. Admittedly, losing one sale isn’t the end of the world. But what if most of the transactions need to be authorized? You could lose most of your profits.
This is reason enough to look into SCA.
Things to Keep in Mind
Let’s say your store is SCA-compliant. There are still things you need to be aware of.
For one, additional authentication adds another step to the checkout process. Every retailer knows this can negatively impact the conversion rate.
How will enforcing SCA on this level affect eCommerce, then?
The experts don’t really agree. Some say the losses due to shopping cart abandonment will balance out with the money saved by reduced fraud rates. Others maintain online retailers will have to suffer through a period of losses before buyers get used to the revised payment services.
Whatever happens, its magnitude will surely vary depending on location, business size, and the product sold. You should just know that your sales might take a hit (We’ll talk more in-depth about minimizing this in the following sections).
SCA takes effect on September 14, so you have time to prepare.
III. Does This Apply to Me?
SCA doesn’t apply to every merchant or to every payment method. Moreover, not all transactions require SCA.
Who Falls Under SCA
Obviously, if you run a small eCommerce site in North Dakota and don’t ship products out of state, you’re off the hook.
Not all non-European retailers are, though. A merchant’s location isn’t as relevant here. If you sell physical or digital products to European customers, SCA rules might apply.
For this to happen, the customer’s payment instrument should be issued in the European Economic Area. The acquiring bank or payment processor must also be in the EEA. Sounds a bit technical, right?
In layman’s terms, SCA only applies if the customer’s card has been issued in the EEA. Otherwise, SCA doesn’t matter.
The retailer’s payment provider must also operate in the EEA. Otherwise, the payment provider should do their best to comply with PSD2 strong customer authentication requirements — but they don’t really have to.
If both conditions are met, but the provider doesn’t comply with SCA, the transaction will likely not go through.
All in all, it pays off to investigate payment providers and see where they operate and if they are SCA-compliant.
SCA Exemptions
There are special circumstances where authorization is not required. We’ll cover a few.
- Transactions under €30 are considered low-value payments. They do not require authentication. But if a customer makes five low-value payments or their cumulative value exceeds €100, payment authentication is required.Mind that these don’t have to be payments to a single merchant. If a customer makes five payments across multiple e-stores, they must authenticate for at least one.
- A customer could also add you to a list of trusted beneficiaries. Being whitelisted exempts you from SCA for all purchases.In such cases, it’s good to be up to date with website security practices.For example, monitoring transactions can prevent fraud here. If a customer has whitelisted you, but you notice suspicious activity (like their country changing), you can follow up with them regardless of SCA.
- Another important exemption is to recurring electronic payments. If you sell a subscription, the customer only needs to authenticate for the first transaction. However, if the cost of the subscription changes, they have to authenticate again.
- Finally, the payment providers will be able to deem transactions as low-risk. This is only if the PSP has a fraud rate below 0.13% for card payments and 0.015% for credit transfers. However, it is always up to the bank if the customer should authenticate.
There is more to exemptions than this. You can read more detailed info about SCA exemptions here.
In short, not every transaction has to be verified. That being said, the only retailers not affected by SCA will be the ones based and selling products outside EAA.
IV. 3DS 2.0 to the Rescue
The Problem with 3DS1
We’ve raised the question of higher cart abandonment already.
To reiterate, two-factor authentication adds another step to the checkout process. The customer is redirected to another page where they verify their identity. Then, they are redirected back to the merchant. This process has been characterized as frustrating by banks, payment providers, and retailers alike.
Plainly speaking, authentication is annoying.
The process we have described is nothing new. It’s called 3D Secure, and banks have been using it for years.
It provides authentication based on a three-domain model (hence the name, 3D). The three domains are:
- The acquirer domain (the merchant’s)
- The issuer domain (the bank’s)
- The interoperability domain (provided by the card scheme)
Again, if you’re a Visa or Mastercard owner, you’re probably familiar with this. Every payment service provider calls it differently — Visa Secure (formerly Verified by Visa), American Express SafeKey, MasterCard SecureCode.
3DS is a straightforward way to secure online payments. The problem is that customers hate it. Consequently, 22% of all transaction authenticated using 3D Secure are lost.
That’s why one concern about SCA is that it will make shopping cart abandonment skyrocket.
How 3DS2 Solves This
This is forcing banks and payment service providers to implement 3D Secure 2.0 as fast as possible.
As you can probably guess, 3DS 2.0 has the same purpose as 3DS. It is just a way to meet the psd2 authentication requirements more easily.
Let’s see what it does differently.
1. For one, the older version did not work well on mobile devices. The new one works both with apps and mobile browser sites. With Android being the most popular OS right now, this is insanely important.
2. 3DS used to require authentication for each transaction. 3DS 2.0 does not. Instead, it looks at around 150 pieces of authentication data to evaluate the risk of the transaction. If the transaction looks suspicious, the customer has to authenticate. Otherwise, the transaction can just go through.
3. Even if the customer has to verify their identity, the process is easier. 3DS accepts biometric elements, like fingerprints or facial recognition. This is much faster than passwords and pins. Therefore, it leads to fewer abandoned shopping carts.
4. A great benefit of 3DS 2.0 is that it doesn’t force the customer to navigate away from the checkout. This is a great transaction saver.
All in all, 3DS 2.0 is projected to be a great asset once SCA comes into effect. That’s why European banks and payment providers are racing to make it functional on their platforms.
Still, we shouldn’t get too optimistic. We still need to see the results before we can say 3DS 2.0 is revolutionizing eCommerce.
Additional Resources:
Countries That Have Mandatory 3D Secure Implementation
What is Liability Shift and ECI?
With 3D secure enabled, you, as a merchant, is no longer responsible for some fraudulent chargebacks. MasterCard SecureCode, Verified By Visa, American Express SafeKey, and other payment processing solutions can help detect the identity of the cardholder making an online purchase. If the authentication is successful, the responsibility for any fraudulent chargeback shifts from you to the card issuer. This process is called liability shift.
The result of the attempted 3D Secure authorization is determined by the Electronic Commerce Indicator (ECI). Otherwordly, it is the level of security.
The following diagram illustrates different scenarios.
V. How to Enable SCA
Alright, we’ve discussed enough theory. Let’s talk about making your store comply with SCA.
We have more good news here. Most of the hard work does not fall on you.
It is the banks and the payment service providers that are legally obligated to be SCA compliant.
Let’s say a customer tries to make a fraudulent transaction and your PSP does not support SCA. The transaction likely wouldn’t go through. If it does, though, the PSP is at fault.
The same goes for the banks that don’t comply with SCA in time.
Still, it is in your best interest to find an SCA-compliant payment service provider if you target European customers. Otherwise, your sales may plummet.
Probably the easiest way to do this is to let an eCommerce platform handle everything for you. For instance, X-Cart makes it extremely easy to create an online store that’s SCA compliant.
For one, it offers 120 payment gateways, 60+ of which are SCA ready at the moment. You won’t have to worry about authentication getting in the way of your conversions.
In addition, one of X-Cart’s many features is a tool called X-Payments. X-Payments goes the extra mile to ensure SCA readiness and add extra security.
The tool acts as an intermediary between the payment gateway and the customer. This way it works towards making the checkout as seamless as possible.
As for security, X-Payments makes sure you don’t have to deal with storing any customer data. Everything is automatic. It creates an encrypted token with data about each transaction on the X-Payments server. You don’t have to bother with storing customer data.
It doesn’t store any credit card numbers, codes, or cardholder names. Even if the server is compromised, the sensitive data is not there. This makes it impossible for anybody to compromise credit card data on your end.
And before you ask, yes, X-Payments will be updated to be compatible with 3DS 2.0. Your customers won’t have to deal with the old 3DS. Everything about X-Cart makes the online retail easy on your customers and easy on you.
Conclusion
To conclude, SCA will affect hundreds of thousands of merchants. If you sell products in Europe, you are practically guaranteed to feel its impact. Luckily, there is still enough time to prepare.
One of the easiest ways to handle the new regulations is to use an eCommerce platform. They make it a breeze to keep up with all the legal and security novelties. Both new retailers and established ones can make their lives easier by using eCommerce software.
You now know what to do so SCA doesn’t take you by surprise. We wish you good luck.
Alex joined X-Cart in 2005 and since then spearheaded Support and Hosting departments, focused on customer needs as a Director of Customer Success and now helps our clients to grow and prosper as Enterprise Account Executive. He truly believes that if we don’t take care of our customers, someone else will.