Getting PSD2’s new SCA requirements right
That brief sigh of relief you heard was from European retailers welcoming the EBA’s admission that additional time may be needed to comply with the new Secure Customer Authentication (SCA) requirements under PSD2 that are planned to take effect on 14th September.
The breathing space is all well and good, but the sigh was brief because the reprieve is likely to be just as short-lived. The truth is, PSD2 and its requirement for genuine Strong Customer Authorization (SCA), is still coming and it’s still vital that retailers in the European Economic Area get it right.
In fact, there is little profit in procrastinating when it comes to preparing for the new rules. Brands that take quick and decisive action will find themselves with a competitive advantage — including being open for digital business when those who dawdle beyond the PSD2 deadline will not be.
The dawn of the SCA era has been viewed with dread by many in the retail industry. Some have scrambled to identify exemptions and to contemplate the possible gymnastics that will allow them to get around the new requirements.
The truth is, none of the exceptions provided in the regulations will help even the likes of Stripe, Amazon or Worldpay from preventing conversion drop off. And the exemptions themselves? They are only sometimes applicable for some small value carts and ultimately are actually dependent on unrealistically low fraud rates for both the acquiring and issuing banks, neither of which are in control of the retailer.
There is a better way. The better way is to embrace SCA by finding a way to provide seamless customer experiences while still measuring SCA’s three elements — possession, inherence and knowledge. And to do that without ever prompting customers to take additional checkout steps or turning over the checkout flow to the card brands.
Much of the anxiety around SCA comes down to the verification of the three elements, because for many merchants SCA is considered part and parcel of 3D Secure, a safeguard that historically has led to cart abandonment and customer dissatisfaction.
But the SCA and 3D Secure are not synonymous and, in fact, SCA is a powerful and effective safeguard against fraud. It works.
Requiring authentication based on something the consumer is (biometrics or behaviour, for instance), something the consumer alone knows (a password from before the transaction, for instance) and something the consumer possesses (a digital device as evidenced by a token, for instance), is a robust and secure method, because a fraudster’s breach of one of the three identifiers does not compromise the other two.
But the same European Banking Authority opinion that opened the door for likely extensions in the deadline for PSD2 enforcement also rightly noted that implementing 3D Secure 2.0 does not automatically mean you are implementing SCA. The protocol doesn’t even have the ability to pass information regarding the inherence element of SCA for example.
The EBA stated plainly in its 21st June memo that, “communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioural biometrics.”
The EBA went on to say that SCA purposefully allows for multiple “authentication approaches in the industry, in order to ensure that the regulatory technical standards remain technology-neutral and future-proof.”
We’ve looked at what’s in place and tested the existing protocol and its infrastructure. Authentication systems that rely on 3D Secure, with their communication among the merchant, gateway, at least two banks, the consumer and often back around again can in extreme cases take 15 seconds or more — an eternity on the web.
And there is no mystery in what that delay does to conversions. Slow and complicated checkout processes are a conversion killer.
Nearly 48% of consumers told polling firm Survata, in a Signifyd customer experience survey, that they felt frustrated by checkout experiences that redirect them to another site for credit card verification, a feature of 3D Secure. The Baymard Institute found that 28 percent of consumers abandoned their carts because checkout took too long or was too complex.
The way to completely sidestep the problems with 3D Secure as a protocol is to take ownership of SCA by building or buying a holistic approach to meeting PSD2 obligations. We expect that the best customer experience under PSD2 will involve a machine-learning-based SCA provider conducting dynamic fraud analysis for online retailers, then passing the SCA decision down the 3D Secure rails to eliminate delays in approval, minimise customer friction, and maximise authorisation rates.
Such a system, relying on a vast amount of transaction data, provides just the right scrutiny for each order to protect consumers and retailers from fraudulent credit card transactions while avoiding the added friction brought on by a one-size-fits-all, legacy 3D-Secure-powered system.
The holistic approach allows for near instantaneous SCA review and more accurate decisions based on the significantly more data processed by the system’s learning machines, as opposed to passing down that data all the way to the issuing banks and back. The system should have the added advantage of shifting all liability away from the merchant, onto the issuing bank in the case of 3D-Secure-authorised transactions, or onto the SCA provider for any transaction that would require a step-up or be declined.
Fortunately, the technology to build a successful and sustainable PSD2 solution, fully compliant with the requirements for SCA, is available today. Instead of banking on exceptions, retailers should fix the problems that don’t protect their customers’ payment information.
While the details of this innovative approach to PSD2 are important, it’s the underlying thinking that is vital to executing a successful PSD2 strategy. It starts with embracing the new SCA requirements rather than trying to avoid them through a pretzel of exemptions.
Because in the end, coming to grips with the reality of PSD2 and its SCA requirements is the only way to achieve the noble goals of the regulation without breaking the customer experience they’ve worked so hard to foster.
By Ed Whitehead Signifyd managing director, EMEA
