May 04th 2022
Strong Customer Authentication: What UK Merchants Need to Know from the EU Experience
In March 2022, following multiple delays, the UK joined its European neighbours in implementing the latest regulation intended to make ecommerce more secure. But SCA was more than many merchants bargained for, with initial estimates from Barclays suggesting that UK retailers lost £130 million in sales in the first month alone.¹
For many retailers on the continent, the story was a little too familiar. In this article, we ask what lessons UK merchants can take from the EU’s earlier introduction of SCA: why sales are failing, where fraud rates will land, and how to build SCA into their holistic strategy for transaction success.
What is SCA?
Part of the EU’s Second Payment Services Directive (PSD2), Strong Customer Authentication requires that all transactions are authenticated via two of:
- Knowledge (something only the customer knows, like a PIN)
- Inherence (something inherent to the customer, like a fingerprint)
- Possession (something only the customer has, like their card)
Whilst Chip & PIN (and exemptions for most contactless transactions) make it easier to meet SCA requirements in-store, online sales can be placed at significant risk when new frictions affect customer experience at the checkout.
Lost sales: Is it me, or is it my payments partners?
Every card payment passes through multiple different parties on its journey to approval. That means everyone has to be ready for SCA: retailers, acquirers, issuing banks, fraud providers, and more. But when any one of these players turns a perfectly good transaction away, it is easy for a customer to blame the merchant, and ‘solve’ the problem by shopping with their competitor. When this happens – as it did, to the tune of an estimated €25 bn of lost revenue in Europe in 2021² – every party in the supply chain can lose out.
The EU Merchant Experience
Following many EU countries’ process to implement SCA by December 31st 2020, the estimated failure rate of challenged transactions (i.e. those ‘stepped up’ to require SCA) reached up to 33% (see the 2021 snapshot in Figure 1)³. The potential reasons for this varied, and spanned the whole supply chain; in some cases, CMSPI heard reports of issuing banks requiring SCA on cards that did not yet support the technology. In others, long system delays led to customers dropping out of the payment process altogether.
Figure 1: Estimated failure rate of challenged transactions in the EU over time
The Solution
When a transaction fails in error, or a good customer drops out, every party in the payments supply chain is made worse off. This common interest makes it imperative that merchants are collaborating with every partner along their payments flow: speaking directly with their acquirer to ensure they are flagging transactions correctly, or with their fraud provider about the exemption implications of pre- vs post-auth assessment or even to the schemes regarding authentication solutions such as 3D Secure. False declines are widespread even without accounting for SCA, and only proactive merchants with the expertise and data to identify false declines at the transactional level can minimise the amount of revenue they leave on the table.
The End of the Fraud Problem?
The primary intention of SCA regulation is to make transactions more secure. So although some transactions are slipping through the cracks and being wrongly declined, the upside is that merchants will pay less to combat fraud themselves, right?
The EU Merchant Experience
In analysing the impact of SCA on fraud for EU retailers, the results have been mixed. Many of CMSPI’s partner merchants have not seen a significant decrease in their fraud rates since the introduction of SCA. However, some parties such as domestic schemes have reported differing results, serving only to increase the confusion for international merchants.
The Solution
The one surety from the EU experience is that SCA has not stopped the need for retailers to be vigilant in their approach to fraud. In fact, CMSPI estimates that fraud losses in Europe have nearly doubled since 2016. Regularly reassessing and benchmarking your strategy is therefore crucial, especially as threats such as refund fraud come to the fore just as businesses are investing the most in building seamless omnichannel experiences.
Why exemptions can be make or break
The final lesson UK merchants can take from the EU comes from the fact that not all transactions have to undergo SCA. Whilst some – like payments with cards issued outside of the EEA – are considered ‘out of scope’, others can be exempted based on factors such as their value or associated risk. For merchants able to navigate the maze of exemptions alongside their payments partners, removing the friction of SCA at the checkout can be key to retaining positive customer experiences without affecting fraud.
The EU Merchant Experience
Even in markets where SCA is established, employing exemptions has been no mean feat. In some cases, confusion over which party’s fraud rate (issuer’s, acquirer’s, or merchant’s) is used to verify Transaction Risk Analysis exemptions, for example, limited merchants’ options when looking to mitigate the impact of 3DS friction at the checkout. But for those who got into the weeds with their supply chain, the benefits were undeniable.
The Solution
The results were clear for the EU retailer shown in Figure 2. Whilst transaction abandonment was closely intertwined with the rate of declined transactions prior to September 2021, the link was broken as their exemption strategy began to take hold. The resulting €10 million in annual sales benefit was possible without increasing their exposure to fraud.
Figure 2. Transaction abandonment and false decline rate as exemptions were introduced. Large EU retailer case study.
Making the Most of SCA
In their roll-out of SCA, UK merchants had one thing many EU retailers needed: more time. However, as the UK’s payments-savvy merchants were building their strategies, the fraud mix was shifting, new fees were being introduced, and the cost of falsely declined transactions continued to mount. With each false decline, merchants don’t just lose a sale - they lose every penny spent on customer acquisition, loyalty, and the share of their payment fees that are non-refundable. That’s before even considering the chargeback costs, trust implications, and sunk costs of genuine instances of fraud. These challenges were widespread before SCA, making the regulation just another layer in a merchant’s holistic strategy to optimize their approval rates. Luckily, the EU’s experience points to many opportunities – from exemptions, to stronger issuer relationships – that are on the table for merchants ready to collaborate with their payments partners to keep conversions up, fraud down, and revenue optimized.
Sources:
- Finextra - UK Retailers lost $130 million in sales in first month of SCA Rules
- CMSPI estimates and analysis
- CMSPI estimates and analysis. Failure rates includes transactions that were declined and those where customers dropped out of the payment process due to increased friction.