PSD2: The European Payments Revolution? Part 2a: What is SCA and how is it performing?

In our previous blog post, we provided a brief overview of PSD2, outlining its objectives as well as the main areas tackled by the regulation.

We continue our review of PSD2 in this blog with a focus on the safety element of PSD2 that is Strong Customer Authentication. This is our second blog in a six-part series intended to provide a review of PSD2, three years on from its entry into force.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a mandate introduced as part of PSD2 to reduce fraud and make card transactions safer for consumers. In order to comply with the mandate, banks must authenticate their customers for each ‘electronic payment transaction’ (The mandate also applies when a customer wishes to access their bank account and transfer funds. See article 97 of Directive (EU) 2015/2366) using at least two of three elements of identification: knowledge, inherence, and possession.

Identification Elements

 

 

  It should be clear from the definition above that a traditional in-store ‘Chip & PIN’ transaction would satisfy the SCA requirement. The consumer satisfies the possession element of identification by physically being in possession of the card and the knowledge element by correctly inputting the PIN associated with their card. Contactless transactions on the other hand, would not satisfy the SCA requirement as the customer only satisfies the possession element. This example also provides the intuition behind why SCA makes transactions safer. While for a contactless transaction a fraudster can simply steal a customer’s card and access funds, the same fraudster would need to convince or coerce the customer to provide their PIN to access the customer’s funds through a ‘Chip & PIN’ transaction. However, there is clearly a trade-off here between security and the customer experience. If we continue with our example of contactless transactions, there are many industries where contactless transactions play an important role in the way consumers decide to purchase goods. These are typically industries where the average transaction value is low and speed at checkout is important such as the Quick Service Restaurant (QSR) industry. Clearly, requiring PIN entry on all contactless transactions would not be a cost-effective way of minimising fraud here, not least because experience suggests fraudsters are unlikely to target low value transactions.

If we abstract beyond the contactless example and turn our attention towards ecommerce, making the checkout process as smooth and frictionless as possible becomes even more important. Ecommerce retailers spend a lot of time and effort crafting smooth checkout experiences to avoid customer cart abandonment. Introducing two-factor authentication introduces friction to the checkout and while it may foil some fraudsters trying to make fraudulent transactions online, it may also cause genuine customers to abandon transactions. Our estimates suggest failure on transactions requiring SCA is not trivial with failure rates as high as 45% in certain countries (CMSPI estimate). We will discuss these estimates further on in the blog. Fortunately, the regulation allows for transactions where SCA is either exempt or out of scope allowing certain transactions to avoid the added friction of two-factor authentication. This will be covered in part 4 of our blog-series.

What do the metrics tell us?

Since September 2020, we have been analysing SCA testing data from some of the largest retailers in Europe and providing insights into transaction failure rates. We have continued to update these numbers monthly to evaluate performance post-enforcement.

As illustrated in the figure below, failure rates across Europe are extremely high with the weighted average failure rate across Europe at 30% (CMSPI estimates).
 

Transaction Failure Rates

 

Failure Rate Definition: Our estimates for failure rates reflect the proportion of transactions that are abandoned by the consumer or declined by the issuer when challenged through 3DS2. What is 3DS? 3D-Secure or 3DS is an authentication protocol built by EMVCo and has been selected as the solution to bring SCA compliance to European card payments due to the prominence of its owners – including Visa, Mastercard, American Express and Diners Club – in the European market. This 30% estimated failure rate is not far off our initial estimate of 35% based on August 2020 testing data suggesting an improvement of just five percentage points over a period of 8 months. Therefore, there is still a long way to go before the failure rates reach the 5-10% target the industry is aiming for.  What is also apparent is that while all the estimated rates highlighted are much higher than the industry would like, the rates are significantly higher in some countries as compared to others. This partly reflects supply chain issues specific to certain countries which we’ll discuss in part 3 of our blog series.

Given that our failure rate estimate focuses on challenged transactions, it could be argued that the impact of this could be minimised with low challenge rates and more frictionless flow transactions through 3DS (i.e. exemptions). While this is true, our estimates suggest that challenge rates on 3DS transactions have remained relatively high. The estimated average challenge rate on 3DS transactions across Europe was 79% in April 2021 (CMSPI estimate), suggesting most transactions currently sent through 3DS are challenged. The effect of this can be seen in the graph below which outlines the evolution of failure rates on challenged transactions as well as estimated failure rates on all transactions going through 3DS (taking into account the rate at which 3DS transactions are challenged). Both metrics show high rates of failure and illustrate that as challenge rates have remained consistently high, failure rates estimated by each metric are very close.