Revealed: The Real Risks of Not Properly Enforcing SCA

business-962355_1280

Strong Customer Authentication (SCA) is a new requirement of the second Payment Services Directive (PSD2) in the UK and the EU. Its objective is to improve the security of electronic payments online. SCA requires banks to perform extra checks to verify the identity of consumers when they make a payment online. This is achieved through a two-factor authentication, requiring consumers to prove two of the following identification methods at checkout:

● ​Knowledge – Something they know: using a password or PIN.
● ​Possession – Something they own: using a mobile phone or card reader.
● ​Inherence – Something they are: biometrics such as a fingerprint or facial recognition.

For ecommerce businesses, this has been enforced since 1st January 2021 in most of the EEA and will be enforced from 14th March 2022 in the UK.

But what happens if you don’t enforce PSD2 Strong Customer Authentication in your business? Unfortunately, hiding from the problem will not make it go away. Payment service providers (PSPs) and banks have a legal obligation to comply with PSD2, and businesses that don’t fulfil SCA will see a world of trouble.

While SCA is the responsibility of PSPs to enforce, merchants have a big role to play in how consumer information is collected. Merchants must be proactive about implementing SCA properly. Otherwise, they may experience rising decline rates, falling conversion rates, and increasing negative customer experiences. Here, we explore the real risks of not properly enforcing SCA.

Rising decline rates
SCA’s enforcement has led to higher transaction failure rates due to the increased usage of 3DS as a solution to compliance. In July 2021, CMSPI reported that the estimated European failure rate on transactions was 24 per cent – higher than the industry objectives. But why is this happening? Because relying solely on the use of 3DS for SCA compliance increases friction at checkout. This will include more step-up authorisations and stricter verification methods.

While increased decline rates will have an obvious negative impact for merchants’ revenue, there will be further consequences that are damaging for business. Merchants know that when a quarter of transactions fail, of course not every one of those transactions will be fraudulent. In fact, a vast majority is likely not to be. But declining genuine consumers is a costly game to play.

57.6 per cent of consumers said that being declined a purchase by a retailer when there wasn’t a problem would be a reason for them to not shop with a specific online retailer again.

Ultimately, merchants risk ostracising consumers by declining genuine payments. This may discourage returning customers, leading to a further negative impact on revenue beyond the initial decline.

Merchants should therefore aim to improve their decline rate by implementing easier authentications that reduce touchpoints for consumers. Seamless SCA, which uses more data points to verify consumer identities, can encourage improved decline rates and boost revenue.

Falling conversions rates
As mentioned above, when SCA is not properly enforced, authentication can create friction and more consumer touchpoints are likely to occur. The more touchpoints that you create on your ecommerce store, the more likely it is that customers will abandon their shopping carts. In the UK, 41 per cent of shoppers have abandoned an online transaction during checkout in the past year. Merchants must ensure that their ecommerce site is built for the latest authentication platforms, otherwise, they risk creating negative customer experiences.

Using 3DS Version 1, while it is a compliant solution to SCA, has limited capabilities. For example, biometrics are not a possible measure for SCA using 3DS1, meaning that more demanding verification methods are required. This may induce text verification codes that need manually entering or additional passwords and account verifications.

3DS1 also doesn’t recognise soft declines. When a merchant asks an issuer to authorise a payment, the issuer may return a soft decline, triggering authentication. However, with 3DS1, this payment would just be declined. The merchant would have to try again and risk cart abandonment.

Merchants should aim to have a seamless authentication strategy that complies with SCA to achieve higher conversion rates. Merchants should make sure they are on the correct version of EMV 3DS to make the best use of the opportunities that SCA offers, including biometrics, exemptions, and data analysis to achieve a frictionless authentication.