Q&A Series: Strong Customer Authentication

We spoke to our Senior Economist, Robbie MacDiarmid, to find out more about SCA and what merchants need to be doing about it.

In the simplest terms, what is SCA?

SCA is a way of making sure that the cardholder is who they say they are, essentially. The European Commission, as part of PSD2 regulation, have mandated that all transactions carried out through a remote channel must be authenticated via at least two of three defined elements: knowledge, something the customer knows like a password; possession, something the customer owns like a card or phone; and inherence, something the customer is like a fingerprint.

The most likely scenario we’ll see going forward is a consumer pressing ‘Pay now’, then a pop-up window appearing asking them to input a passcode that has been sent to their mobile or log in to their mobile banking with a fingerprint or facial recognition.

So, what’s the big deal with SCA? Why’s it such an issue?

Well, SCA is actually a fine concept. Transactions in general should be challenged if they carry a high risk of fraud, as this protects cardholders, merchants and issuers from the costs of fraud. Requiring customers to authenticate via two of the three defined elements will improve this process of challenging transactions and ideally reduce fraud in the industry.

The issue comes with the fact that excessive enforcement of SCA or non-optimal implementation of solutions could lose merchants 6, 7, or even 8-figures of revenue after the deadline of September 14th.

What will actually happen on September 14th?

At midnight on September 14th, transactions that aren’t SCA-compliant will be declined by issuing banks at their discretion, and transactions that are compliant may still be sent back for further authentication prior to being authorised by the bank. We’re expecting about 25% of transactions to require SCA, so if customers aren’t familiar with the new transaction flow then this could cause a significant increase in customer dropout.

What do merchants need to do to be SCA-compliant?

Multiple things, but the main one is to implement an SCA-compliant solution at checkout. Currently, this means 3D-Secure version 2 for desktop and Apple Pay, Google Pay or Samsung Pay on mobile. Merchants who have not had communications from their acquirers should firstly question why they haven’t been contacted, and secondly discuss the implementation of these authentication methods.

Is there anything else merchants can do to minimise the impact of SCA on their revenue?

There are a number of exemptions to SCA that can be applied for on qualifying transactions. If the exemption request is successful, then the transaction will continue to be frictionless for the customer and they won’t need further authentication. Therefore, merchants that can make the most use of exemptions will be able to avoid SCA as much as possible, and keep customer dropout rates stable.

As only one exemption can be applied for with each transaction, merchants need to be able to assess which exemption is most likely to be accepted by the issuing bank – that maintains executive control over the application of SCA – in order to optimise their use of exemptions.

Can merchants be fined for not being SCA-compliant?

In a traditional sense, no. Merchants aren’t regulated entities under PSD2, so it is up to acquirers, issuers, and the card schemes to be ready for SCA and communicate this to their merchants – which many have failed to do. The only ‘fine’ merchants will face is the huge loss of revenue they see as transactions begin to be declined or customers increasingly drop out at the authentication stage.

What is the CMSPI Economics Team doing to help merchants with SCA?

The biggest thing is education. We’re calculating the impacts of SCA to individual merchants, assessing their readiness, and providing recommendations for next steps in order to be compliant by the deadline of September 14th. We will be supporting any efforts from merchants, trade associations and the industry to delay the deadline.