Strong Customer Authentication – Considerations for Merchants

By Catherine Tong, Vice President & General Manager, Accertify EMEA September 25, 2018

The deadline for implementation of PSD2 into EU national laws was 13 January 2018. One aspect of PDS2 is SCA whereby a customer needs to authenticate themselves in order to be able to transact. Authentication in itself can cause friction, which is something any merchant is trying to avoid to ensure that they are able to maximise revenues and customer satisfaction on their consumer websites and apps.

As a result of this change, merchants should understand and manage their business to minimise both fraud and the amount of customer friction. The introduction of this new regulation will mean that fraud detection will inevitably need to evolve as the fraudsters find new ways to exploit new loopholes, as well as migrating to areas which have weaker controls and easier purchase routes.

Non-EU issued cards

One important aspect of SCA is that non-EU issuers do not need to comply with this regulation and therefore liability rules for these cards will remain unchanged. From our current customer base at Accertify, we see the below split of fraud, by issuing region, across some of our enterprise EU merchants. Once SCA is fully enforced in the EU, we expect to see fraudsters to target non-EU issued cards. This means that there could be an increase in the proportion of non-EU issued cards making up fraud losses and that number could continue to increase as non-EU cards do not utilise SCA. See Figure 1 below:

Figure 1: Source Accertify

The above chart highlights the ongoing need for merchants to be able to manage their own fraud strategy as non-EU issued cards will continue to be a fraud risk for EU merchants, and in fact are expected to become a bigger problem as fraud migrates to the areas with the weakest barriers to purchase.

Customer whitelisting

Minimising how often SCA is required is a key objective for many merchants. One way to do that is for a merchant to encourage a customer to “whitelist” themselves with their issuer by registering themselves as a trusted beneficiary, so that SCA is not invoked each time they come to pay. However, if fraud is later found on a transaction, the merchant may become liable, so fraud screening tools are still required to mitigate this risk.

Pre-authorisation fraud screening

Transaction risk analysis (TRA) is another way to exempt a transaction from authentication. Although a merchant cannot apply the TRA exemption themselves, they can conduct risk analysis pre-authorisation to ensure minimal fraud attempts are being passed to the acquirer and issuer. This will help keep overall acquirer and issuer fraud rates low and enable a larger number of transactions to be exempted from SCA. If the overall acquirer and issuer attempted fraud rates are below these thresholds then an increased number of transactions will meet the SCA exemption:

[1]Transaction value (€)

Fraud rate (%)

>500

0.01

>250

0.06

>100

0.13

This exemption in itself is likely to mean that the above fraud rate thresholds will be an influencing factor when determining which acquirers to work with and what alternative payment methods to offer in the future to optimise the level of end-consumer acceptance.

Dispute Management

Where there is suspected fraudulent behaviour, an issuer will still be able to push liability to other entities in the payment process, including a merchant. Coupled with the fact non-EU issued card processes will remain unchanged, this means merchants will still benefit from having an effective dispute and chargeback representment process.

By automating and prioritising disputes received, merchants will be able to continue to optimise their profitability through an effective dispute management process.

In conclusion

Merchants will continue to have a role to play in effective fraud management processes in the future. Ultimately, it is the issuer who will determine whether a transaction needs to step-up for SCA. After all, they are the ones who are required to do so per the regulation and ultimately, will take the liability if fraud is found. That said, the issuers and merchants have the same objective — to ensure as many customers as possible are allowed to transact.

Merchants will still need to understand and manage their fraud risks and they will need to update their fraud strategies to ensure that their processes are agile enough to be able to adapt to the changing fraud patterns which will evolve in the coming months.

This article also appeared in PaymentsSource.com.

[1]https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+(EBA-RTS-2017-02).pdf