Strong Customer Authentication (SCA) is a requirement of the second Payment Services Directive (PSD2) in the UK and the EU. Aimed at securing online payments, consumers’ identities are verified with a two-factor authentication. This authentication will ask consumers to prove two of three factors:
- Knowledge — something they know, like a password
- Possession — something they own, such as a mobile phone
- Inherence — something they are, using facial recognition or fingerprint scans
However, as fraud prevention blocks some avenues of fraud and abuse, those aiming to do your business harm will aim to find another. It’s clear that payment SCA will change fraud pressure for businesses. Here, we explore factors that online merchants must consider in the new world of SCA and how to address modern ecommerce fraud.
SCA doesn’t cover all online payments. In fact, some payments are considered out of the scope of SCA regulation. This means that any payments that qualify as an out-of-scope transaction will not trigger a two-factor authentication check. These out-of-scope transactions include:
- Mail order or telephone order (MOTO) payments
- Merchant-initiated transactions, such as direct debits
- One-leg-out (OLO) transactions
- Recurring transactions of a consistent amount, once the first transaction has been authenticated
Merchants can expect to see fraudsters shift their efforts to these channels as they attempt to cause harm to businesses beyond SCA enforcement. The psychology of the situation is simple: when you make one channel of payment difficult to commit fraud, then fraudsters will find another. Which other channels will they use? Those that are not protected by SCA, of course.
Let’s look at OLO transactions as an example. This occurs when either the merchant’s acquiring bank or the consumer’s issuing bank is located outside the EU or the UK. A fraudster could purchase international credit card information on the dark web as the issuing bank would be outside the remit of SCA, purchasing through them as a foreign identity. This would be classed as an out-of-scope transaction, and their fraudulent purchase would be exempt from SCA.
As SCA changes the way that fraud will be attempted, it will also impact the liability of fraud. Just as there are out-of-scope transactions that do not require SCA, some in-scope transactions can be exempt from the regulation. This is because some transactions are classified as having a low risk of fraud. This includes low-value, regular, whitelisted, and low-risk transactions. Ultimately, these exemptions help the checkout to have less friction and boosts the customer experience. However, fraud can still occur under the exemptions.
PSD2 allows for certain in-scope transactions to be exempt from SCA. Exempting low-value, regular, whitelisted, and low-risk transactions can reduce friction for the customer. These exemptions are decided and applied by issuers and acquirers, but merchants can also play a hand in the outcome.
However, if a retailer utilses an exemption strategy as part of their SCA strategy, the liability for those exempted transactions will lie with the retailer. When a fraudulent transaction occurs, your business could be losing money. It’s essential to incorporate other fraud detection programmes in place to avoid this.
Don’t be fooled by the name; friendly fraud can hurt just as bad as any other. This type of fraud occurs when a genuine consumer makes a claim to their issuing bank that is false. These could involve the customer claiming:
- an item wasn’t delivered
- an item does not match its description
- a refund had not been processed
- an order was cancelled but still sent
- that their credit card has been compromised and used.
Friendly fraud occurs when these claims are falsified, and they can cost businesses a significant portion of their revenue. Interestingly, The Consumer Abuse Index states that non-payments fraud has increased five-fold during the COVID-19 pandemic. Worryingly, the index shows just how commonplace abuse is among shoppers. 36 per cent of UK shoppers have claimed that a legitimate charge on their account was fraudulent. Meanwhile, 30 per cent have falsely claimed that an item hadn’t arrived. Before the pandemic, only 14 per cent had said the same – less than half of its current levels.
SCA is out of scope for this type of fraud because most orders will look legitimate when they are made as a genuine consumer isn’t hiding behind a false identity with friendly fraud.
Merchants must consider other fraud solutions to avoid friendly fraud. Fraud prevention platforms that utilise historic shopping data can identify consumers that are more likely to commit friendly fraud, prevent them from doing it again, and remove liabilities of chargebacks for merchants.
Transaction risk analysis
Removing the friction caused by SCA will involve creating a seamless authentication strategy. Seeking out exemptions is the best way to remove the need for SCA and reduce consumer touchpoints that may lead to cart abandonment.
Transaction risk analysis (TRA) is one effective method carried out by issuers and acquirers that identities low-risk transactions and exempts them from SCA. Transactions go under a real-time, dynamic evaluation of various risk factors, verifying the identity of consumers and assessing their fraud risk.
However, to be eligible for a TRA, merchants’ fraud rate must remain below a specific threshold. If your fraud rates rise, so does a PSP’s appetite to authorise an exemption – it’s bad news all around. Merchants could even be hit with financial penalties as a result.
To be eligible for exemptions as part of TRA, merchants must adopt an effective fraud prevention strategy that first reduces their fraud rate before accessing more frictionless checkout experiences. The lower your fraud rate, the more opportunities, the easier the checkout, and the better experience your customers will have.
Fraud is changing with SCA regulations. Fraudsters will continually find new ways to harm your business, but proactive merchants are utilising more effective fraud prevention methods. A solid fraud prevention strategy can help reduce your fraud rates, improve the customer experience, and boost your revenue.