[4-minute read]
If you’ve been paying attention to our blog series, by now you should know a little about protecting your business against payment fraud. Without a doubt, it can all sound a bit overwhelming, and that’s why we’re here to help. We’ve scoured the internet for information sources to assist in combating fraud. Together, we’ll unpack some of the processes you must go through to create a safe online environment on your ecommerce store platform.
What is SCA?
Strong Customer Authentication or SCA is a European requirement attached to the revised Payment Services Directive 2 (PSD 2). It’s set to make online and offline contactless payments more secure and reduce incidences of fraud across electronic payments. The role of the PSD 2 is to protect consumers, encourage banking innovation, and support the security of cross-border European payment services.
SCA requires that customers take extra steps when paying online with a card. Merchants are challenged to find ways to integrate SCA at the digital point of sale without affecting the consumer experience. You’re thinking, “Not another regulation to frustrate businesses.” Don’t worry, we’re in this together. SCA compliance involves updating payment processes at card schemes, payment processors, banks, merchants, and service providers. Simply put, to launch SCA with relative ease, a smooth customer transition across all institutions active in the online payment process is key.
SCA was initially introduced to the market in 2019. With continued approval of the European Economic Area, (EEA), the roll-out deadline has been dealt with many extensions.
The role of 3D Secure
Admittedly, SCA compliance can get complicated. Businesses meet SCA regulations by using 3D Secure 2 (3DS2). Cardholders are required to input two forms of identification (two-factor authentication) to checkout. The first needs customers to have a mobile number stored with their bank or have the bank’s app installed with notifications. This is so they can receive and input One-Time Passwords, (OTPs). Since 2019, card details can no longer be considered a valid second factor for authentication. It’s therefore important for all businesses to carefully consider an approved second factor to comply with SCA.
3D Secure
Most banks had been using 3DS1. This isn’t considered up to speed with SCA requirements. Customers are redirected to the card issuer’s website before payment is verified. This is so they can provide more authentication details such as a password or an SMS verification code. The redirect in 3DS1 leads to lower conversion rates, because of the probability of technical errors during the redirection process. These disruptions lead to shoppers dropping out of the authentication process and increasing abandoned carts
3D Secure 2
An update from the previous version, the card issuer performs the authentication within your payment form or app. Shoppers aren’t redirected to another website. The shopper’s identity can be verified using two-factor, biometric or passive authentication approaches.
While 3DS1 can still be used, however, it’s not SCA compliant. As a result, it will eventually be phased out by the schemes, this started in October 2021. Most importantly, payment networks have set some noteworthy deadlines:
Visa
As of 15 October 2022, Visa won’t support 3DS1 and secure payments must apply the 3DS2 protocol.
Mastercard
From 14 October 2022, Mastercard won’t process 3DS1 transactions for cardholder authentication. Payments sent to the 3DS1 directory will be refused by the network.
In consideration of the actions to be taken above, if you hadn’t considered SCA compliance before, a mild panic is now warranted.
Exemptions from SCA
Don’t distress too much, relief comes in the form of exemptions. The authentication built into your checkout flow involves an extra step that may increase customer drop-off. Using exemptions for specific transactions lowers the number of times a customer interacts with multi-factor authentication and avoids cart abandonment. Exemptions for online businesses involve:
Fixed recurring transactions and subscriptions
With payer-initiated payment methods, only the first payment of a fixed subscription will require SCA. This applies on the condition the paid amount stays the same. Further transactions won’t need SCA unless the amount changes.
Low-value payment
Transaction below €30 are exempt from SCA, but it’s required if a customer makes:
- Five or more payments below €30, or
- If together multiple low-value payments tally up to €100 or more
The five transactions that add up to €100 may be payments from different companies, as thresholds are not merchant specific.
Contactless payments
Contactless payments that meet either condition are exempt from SCA.
- Individual payments below €50, or
- Five or more payments below €50
In the instance where combined payments totalling €150 are made, SCA will once again be required.
Why compliance is important
The implementation of SCA has been an ongoing process spanning over three years. What’s causing the delay? Without a doubt, there are a few problems. Failure rates on transactions through 3DS2 due to declines or card abandonment are high. Payments consultancy CMSPI found that the estimated failure rate in Europe was at 26% in August 2021. These disruptions have the potential of negatively affecting revenue. That’s why it’s important for businesses to work on the optimisation of their ecommerce platforms to counteract SCA’s effect on sales.
Regardless of the hurdles businesses may have to jump over while adapting to SCA, the benefits outweigh the complications. They include:
- Fraud reduction to create a safer online transaction environment for both consumers and businesses.
- Increase consumer confidence around online purchases and, as a result, encourage the entrants of new online shoppers.
- Advance overall compliance from merchants, service providers to payment processors.
Europe’s SCA compliance deadline was 1 January 2021. With the enforcement date for UK retailers now set for 14 March 2022, are you ready? As of this date, all retail non-compliant transactions may be declined by card issuers. Truevo is ready, as all our products follow the 3DS2 protocol. And, we’re also helping our merchants with compliance. As one of the many actions taken by Truevo to ensure data integrity, we designed and implemented what we’ve coined, “the compliance engine.” The engine validates each transaction to ensure SCA compliance. The validation performed ensures that all transactions received are either authenticated or contain the necessary indicator permissible to be eligible for an exemption to authentication, such as the recurring or the low-value payment indicator. All non-compliant transactions are declined with a representative response code and description detailing non-compliance as being the cause.
The engine launched on the 11th of November 2021. For the past year or so, we have worked with all our merchants to ensure their compliance and avoid disruptions in our merchant’s processing. For safer online transactions and a helpful payment partner, choose Truevo.
Did you learn something from this quick read? Would you like us to explore more fraud and compliance related topics? Tell us on social media: Facebook, Instagram, Twitter, and LinkedIn
