Brace for impact, SCA is about to hit – are you ready?
As we enter the final part of the year, peak shopping season, pandemic-driven e-commerce acceleration and the annual change freeze period will collide. But this year the introduction of Strong Customer Authentication (SCA) will also enter the mix – and for some merchants, it may feel like the end of 2020 will be even more daunting and difficult than the early part of the year.
Ahead of this perfect storm of payments challenges, we wanted to share our insight into the issues e-commerce merchants are likely to face around the online customer experience and what can be done to minimise disruption.
SCA – a quick recap
Strong Customer Authentication (SCA) was introduced as part of the Payment Services Directive (PSD2) and requires electronic payments initiated by the buyer to be authenticated by at least two of the following three factors.
- Something the cardholder knows (e.g., a password or PIN)
- Something the cardholder has (e.g., a token, a mobile phone)
- Something the cardholder is (e.g., a fingerprint or voice match)
The original deadline for SCA implementation in e-commerce had been extended but is now set to be enforced in the UK from September 15th 2021 and across most of the EEA from January 1st 2021.
The COVID effect
The impact of COVID-19 on e-commerce merchants and their Strong Customer Authentication (SCA) preparations have been significant, especially since the industry has seen unusual and unpredictable transaction trends throughout most of this year. As a result, the payments industry called for additional time to allow merchants to focus their efforts on SCA again. Unfortunately, while the UK authorities have granted a final short extension, The European Commission decided against any further delay, stating:
“The Covid-19 pandemic has increased the volume of e-commerce and consequently of online payments. It can be expected that many EU consumers will maintain these new payment habits. This would call more than ever before for robust and innovative strong authentication methods. Delaying them further could undermine customer trust in e-commerce and slow down the deployment of new and innovative state-of-the-art authentication methods in the EU.”
This means that the majority of merchants across Europe have only a matter of weeks left to prepare and comply.
What happens if merchants don’t meet the deadline for SCA?
If a merchant isn’t able to support a card issuer SCA process, the issuer will be legally required to decline those payment requests. This ultimately means lost sales, unhappy customers and a big impact on revenues.
While most issuers and acquirers are likely to be ready for the impending deadline, research suggests that many e-commerce merchants are still relying on their payments providers to navigate any compliance changes on their behalf. As a result, some may be caught unawares.
On the flip side, merchants who are able to meet the SCA requirement may also face friction at the checkout, due to the additional steps that customers will have to take to complete their payment. This can cause cart abandonment, reduced conversion rates, lost revenue and reputational damage.
Fortunately, there are steps merchants can take to reduce friction for genuine customers.
Securing the online payments experience
Some transactions are exempt from SCA and merchants can also apply to add exemptions for additional transactions or customers. It’s important for merchants to understand all the various factors and form an exemptions strategy. This will help minimise the number of transactions that have to go through the extra SCA checks and maximise the use of the frictionless flow route for genuine customers.
3D Secure (3DS) can help merchants meet the new authentication requirements set out by the SCA mandate. The latest version of this technology is suitable for both online and mobile channels and can offer a slicker process for shoppers. However, it is possible to use a dynamic approach to 3DS, which uses verified customer data to help recognised, genuine customers, to avoid the additional authentication steps. This, of course, is something that merchants must carefully weigh against the risk of fraud liability and to bypass 3DS, merchants must be able to supply the complete range of required data to the card issuer within the transaction process.
There are also some e-commerce transactions which are out of the scope of the regulation, flag all your out of scope transactions correctly and completely to keep payments flowing as smoothly as possible.
If you’re a TrustPay merchant and have any questions or concerns about SCA, you can review our API manuals for technical details, or get in touch with your account manager to discuss your support needs.