Female customer experiencing eCommerce friction due to 2FA and SCA requirements

The European Banking Authority implemented strong customer authentication (SCA) in an effort to make eCommerce more secure. However, as Feedzai’s James Hunt points out, SCA can add unnecessary friction to eCommerce transactions. James outlines how acquirers and PSPs can reduce eCommerce friction by understanding how customers normally behave.

What’s wrong with currently available fraud solutions?

What’s causing a rise in eCommerce friction? It can be put into two different buckets. The first bucket is inadequate fraud solutions. The second bucket is around increased regulations which impacts the whole payments process.

If we look at that first bucket, there’s a host of fraud solutions on the market today that are really good at predicting fraud. The problem is false declines or false positives. 

An article released by Edgar, Dunn & Company back in 2020, looked at the issue of false declines. The article stated that for point of sale transactions, authorization success rates were around 96%. In card-not-present (CNP) situations, that authorization success rate actually dropped to 85%. The reason being is that, one, CNP transactions are seen as much higher risk because I don’t have to be physically in possession of the card to make the purchase. Secondly, fraud systems, whether at a merchant, an acquirer, or an issuer level, don’t necessarily take into account genuine consumer behavior.

How does strong customer authentication create customer friction?

The second bucket is really in regards to regulation. SCA was adopted by the European Banking Authority (EBA) and mandated for use starting on September 14, 2019. Essentially, it’s an additional step that’s been put into online transactions to help make them more secure. 

Two out of three of the following things need to be used as part of a strong customer authentication process. Firstly, something you know, such as a password. Or something you have, such as your mobile phone or your laptop. Or something you are, such as your physical fingerprint. 

Since the rollout of SCA, countries such as Italy have seen authorization success rates drop to as low as 75%. That’s a quarter of all transactions processed which are being declined. 

So why does SCA add additional friction? There are people within Europe that just don’t understand why they’re being asked or why they are redirected to their bank to verify themselves. If I look back to the chip and PIN rollout in the UK in the early 2000s, there was a whole program of education for consumers that were used to using their cards and signing a piece of paper at checkout who now had to input their PIN, which they’re only really used to using an ATM. 

If I look at how SCA has been rolled out across Europe, I’ve not seen the same level of education. I think some of the markets are maybe not used to things such as 3-D Secure

Secondly, it also depends on the technology being used. 

What is 3-D Secure?

3-D Secure was actually released back in 2001 as Visa and MasterCard’s response to card-not-present fraud. There are three different versions which can be used. 

There’s the original version, 3DS1, which is really reliant on static or one-time passwords. It’s a password approach system – not so great because it’s really designed for laptop and desktop PCs. It doesn’t work very well on mobile devices, so much so that the card networks or card schemes are sunsetting support for 3DS1 throughout October 2022. 

The second version is 3DS2.1. This is really where support for mobile devices and also biometric data was first supported. For example, being able to use things like a fingerprint scanner or having more mobile SDK kind of support. 

The latest version of 3DS is known as 3DS2.2. This version adds the ability to ask for exemptions under strong customer authentication. 

What are the 3DS exemptions?

Technically, there are only three exemptions, but there also are another three types of transactions outside of scope of SCA. 

If we look at the out-of-scope transactions, the first is with regards to merchant-initiated transactions. These are essentially going to be things such as recurring transactions, a.k.a., I may sign up to a subscription service for TV or for music. That first transaction will have to go through strong customer authentication. However, any subsequent transactions will fall outside of scope unless the payment details are changed at any point in time. 

The next exemption is around mail order and telephone order transactions. It’s really not possible to verify a consumer via automated means. Therefore, these transactions also are outside of scope. 

Last but by no means least, we have what’s known as one leg (out). This is where either party involved in a transaction actually is from outside of Europe. 

What are the physical 3DS exemptions?

If we look at physical exemptions themselves, as I mentioned, there are three. 

The first is transaction risk analysis, where some element of fraud screening has been performed on the transaction. There are other caveats here that will depend on the acquirer and the issuer’s fraud rate and the value of the transaction. For example, any transactions over €500 are not exempted from transaction risk analysis. 

The next exemption is with regards to trusted beneficiaries. This is really something which is owned between the consumer and their card issuer. So a really good example is I go to a website, and I place an order. My card issuer may ask me if I would like to whitelist any further transactions that I make on this merchant’s website. 

Finally, transactions can be exempted because they’re low value. So anything under the value of €30 can be exempted from SCA, assuming that no more than five transactions have previously been exempted and that the cumulative total of transactions is not in excess of €100. 

How can PSPs reduce eCommerce friction?

So how can we look to remove friction from eCommerce transactions? Firstly, as an acquirer, a PSP, or merchant, make sure you have a fraud solution that is able to understand and articulate what good consumer behavior looks like. This is really important for making sure that you keep false declines and false positives as low as possible. 

Second, if you’re an acquirer and PSP, extract as much information as possible from your merchants. For example, what specific goods and services a consumer is ordering via merchants are really good pieces of information to build into your fraud detection system. This will allow you to offer exemptions under transaction risk analysis with much more confidence. 

Third, as an acquirer or PSP, and perhaps even a merchant, make sure you are in a position to understand whether or not a transaction falls in or out of scope for SCA. If it does fall in scope, can an exemption be used? Making sure that you have an engine in place to determine that quickly, easily, and in line with your authorization message is going to be incredibly key. 

Finally, if you’re an acquirer or PSP, make sure that you support the latest version of 3-D Secure. Not only will this make sure that you’re able to request exemptions, but it will also give you the latest version of the technologies available to help verify consumers in a more frictionless way. 

Are you looking for ways to reduce eCommerce friction? Schedule a demo with us today to see how our experts and our technology can help establish digital trust for you and your customers.