In response to the unprecedented and exceptional circumstances resulting from the global health crisis, the UK’s Financial Conduct Authority (FCA) has extended the deadline for the industry to implement Strong Customer Authentication (SCA) to minimize any disruption to consumers and merchants. The new timeline, September 14, 2021, will offer organizations an additional six months to take all necessary steps to comply with implementation. While the directive doesn’t directly apply to merchants, the move is causing concern among them even with the extended implementation timeline. Which is understandable: between the need to implement more stringent authentication for online payments and the prospect of banks having the power to decline payments, all but the largest merchants may worry that SCA will create friction for customers and disrupt their business. But does the new requirement really mean more friction for customers? Or, could it actually improve the ecommerce experience? Does SCA set the stage for payments that are both more secure and more convenient?
To answer these questions, let’s look at SCA in the context of the EMV 3DS 2.X Specification for transaction security. This protocol provides an additional layer of transaction security and collects a tremendous amount of contextual data about transactions. Merchant adoption of EMV 3DS 2.X is not mandatory, but there is a strong argument to be made that using it in conjunction with SCA could dramatically improve the quality of the online payment experience for consumers, as well as minimize merchant disruption.
Merchants that do adopt EMV 3DS 2.X have a means of ensuring that issuing banks are able to collect enough data to make informed decisions about transactions without inconveniencing customers. EMV 3DS 2.X delivers rich contextual information about transactions to the access control server (ACS) provider’s risk engine, which the issuing bank uses to assess the risk of a transaction and respond accordingly. The more data elements provided, the more accurate the risk score will be. Thus, the process reflects the probability of a transaction being fraudulent or genuine. Only when a high-risk score is given will the bank need to challenge the transaction as fraudulent.
For example, take the billing and shipping addresses that consumers routinely provide to merchants when they purchase something online. EMV 3DS 2.X allows merchants to share both addresses with the issuing banks as part of the protocol. The risk engine can then take into account whether the addresses match as part of the risk scoring process. When they match, it’s an indication of lower risk, which makes a challenge less likely. All of this happens behind-the-scenes without impeding or causing friction to the customer checkout experience.
Merchants looking to reduce their challenge rates even further are encouraged to rely on merchant-side fraud detection. In addition, running a transaction into a risk-based engine can help merchants achieve higher confidence in their transactions before triggering a 3DS flow. The likelihood of the issuing banks running a similar risk based engine, coupled with high-quality 3DS data will result in more transactions going through the frictionless flow that can greatly enhance the customer experience.
Make no mistake: PSD2 and SCA will dramatically change the way transactions are handled by redefining the roles of banks and merchants in the process. But, change doesn’t have to be a negative. Rather, it presents an opportunity for merchants to better control and influence their customers’ journey when an SCA flow is needed, and remain competitive in the digital economy by allowing SCA to help, rather than hinder the customer.
Author: Bilal Alhmoud
Category: RSA Point of View
Keywords: SCA, CNP, Fraud Management, Authentication, 3-D Secure 2.0, PSD2