For those still working to implement Strong Customer Authentication (SCA) to meet PSD2 requirements, the recent European Banking Authority (EBA) opinion on SCA could provide much needed respite. But there are caveats. Agreeing with market sentiment, the EBA conceded that the market is widely unprepared to meet the 14 September deadline to implement SCA requirements, especially for downstream actors such as merchants. In fact, the British Retail Consortium estimates that 25% – 30% of online purchases may fail when the SCA measures are rolled out.
Flexibility on SCA Implementation Timeline
In an effort to avoid disruption to online transactions because they do not meet the SCA requirements, the EBA has agreed that the Competent Authorities (CAs) may “decide to work with Payment Service Providers (PSPs) and relevant stakeholders, including merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA.”
However, the EBA stressed that such delays will only be available when payment service providers:
- Set up a migration plan
- Have agreed to the migration plan with their CA
- Execute the plan in an expedited manner
In the UK, the FCA has already responded, commissioning UK Finance to propose an alternative timetable for implementation. UK Finance are recommending a minimum 18-month delay to the introduction of SCA rules in the UK, with a further 1-year extension for the hospitality and travel sector.
These governing bodies hope this additional flexibility will help merchants handle the transition and ease disruption for consumers. So while flexibility is being given, the EBA and CAs are making it clear that both PSPs and merchants need to have a plan in place and be actively working to meet SCA requirements before the extended deadline.
3-D Secure is Out
The EBA has also clarified that 3-D Secure does not qualify as an inherence factor, and does not meet SCA requirements. While 3-D Secure doesn’t currently satisfy any SCA requirements, it’s important to note that the EBA’s are encouraging the use of such communication protocols to:
- Help ensure customer convenience
- Drive down fraud through data sharing
- Help in meeting transaction risk analysis requirements and gain exemptions to SCA.
EBA on Exemptions
Driving down fraud rates and leveraging Transaction Risk Analysis (TRA) exemptions will be vital for merchants to retain control over the buyer’s journey.The EBA has agreed that PSPs and merchants should be able to request SCA exemptions if they can attain target fraud rates. To be allowed the exemption based on TRA, the proposed solution must operate in real-time and verify a transaction against anomalies in user behavior. Checkpoints include the following:
- Previous spending patterns of the payer
- Payment transaction history of the payer
- Location of the payer and the payee at the time of the payment
- Previous use of the access device or the software provided to the payment service user for SCA.
The table of exemptions is as follows:
|Exemption threshold value||Reference fraud rate % Remote card-based payments|
|€250||0.01 – 0.06|
|€100||0.06 – 0.13|
PSPs and merchants will have to work much more collaboratively to reduce fraud in order to reach the highest exemption thresholds. But this could provide a major competitive advantage on a number of fronts:
- One-Click shopping: Being able to expedite payment processing for a higher volume of transactions, i.e. all transactions below €500 vs. only transactions below €30, which is the default exemption level.
- Cost savings: Reduce the overall number of transactions subject to higher cost SCA checks.
- Reduced friction: Only step-up transactions to SCA that are above the exemption threshold or with risk signals present.
TransUnion is uniquely suited to help businesses drive down their fraud rates and maximize transaction risk analysis exemptions, while also providing an elegant, risk-based authentication solution to satisfy SCA requirements. By doing so, we help you strike a balance between compliance and customer experience.
We combine iovation, our lightweight and transparent customer authentication solution, with iovation FraudForce, a real-time risk insight and fraud prevention solution, to confidently identify returning devices and check for risk signals that could indicate fraud.
Our deep device intelligence allows us to provide real-time data on the location of the payer and payee at time of payment, and to determine previous use of the access device provided to the payment service user for SCA. This intelligence coupled with your data on previous spending patterns of the payer will allow your business to confidently decide to accept, deny or review each transaction. By doing so, you can lower your fraud rate, reduce the overall number of transactions subject to SCA and increase customer satisfaction.