Examining the Impact of Strong Customer Authentication on Businesses
Strong customer authentication (SCA), as outlined by EU regulations, may succeed in reducing the impact of fraud for individuals and businesses.
As data breaches, identity theft, and consumer fraud continue to increase in volume and grow more sophisticated, individuals are becoming more concerned with data privacy. A recent study1 found that 95% of Americans are concerned about businesses collecting and selling personal data without permission; and this growing concern has caused an increase in government regulations around data privacy.
Over 80 countries have enacted some form of data privacy law – from China’s requirement that data be physically housed inside Chinese borders, to Norway’s Personal Data Act, which focuses on consent. The EU’s GDPR is widely considered to be one of the most stringent and comprehensive data privacy regulations in the world.
What is SCA?
One of the outcomes of data privacy regulation is the idea of Strong Customer Authentication (SCA). SCA is a protocol outlined in the EU payments regulation PSD2, which guides the methods used by companies to verify a customer’s identity to complete transactions.
To comply with SCA, a company must authenticate a customer across at least two of three possible categories: knowledge, possession, and inherence.
- Knowledge: something the user knows, like a PIN number or password
- Possession: something the user has, like a credit card or smartphone
- Inherence: something the user is, often a biometric requirement like a fingerprint or facial scan
Why the Interest in SCA?
First, SCA may affect businesses outside of the EU. Any business conducting transactions with customers in the EU must comply with SCA, by using two of the three required data types to verify a customer’s identity. The EU has set a deadline for compliance of December 31, 2020.
Second, strong customer authentication as outlined in PSD2 may provide the basis for future legislation within the U.S. For example, the California Consumer Privacy Act (CCPA) has many requirements that are similar to, overlap, or build upon the EU’s GDPR. As more states and countries create, or update existing privacy regulations, they may very well utilize the same tenets of SCA as outlined in PSD2.
Finally, Strong Customer Authentication is one way to protect your customers, and your business, from the revenue loss and erosion of consumer confidence associated with payment fraud.
What is the Purpose of SCA?
The purpose of PSD2 is to enhance competition, protect consumers, improve security, and contribute to a single EU market for retail payments.
Strong Customer Authentication was created by the EU in support of these objectives, as a method of protecting consumers and businesses from the increasing threat of Ecommerce fraud. By adding additional layers of security to transactions, SCA is intended to:
- Reduce fraud activity
- Reduce losses to fraud
- Improve customer confidence in Ecommerce
Related reading: Using Behavioral Analytics to Detect Ecommerce Fraud
Common Business Concerns About SCA
Because SCA regulations place a burden on businesses, many are concerned about preparing to meet the technical requirements, as well as possible unintended consequences of the changes that are required.
First, a company that plans to incorporate biometric authentication into the payment cycle must have the technology in place to read, analyze and verify a consumer’s fingerprint. This technology must be acquired, integrated, tested, and functional prior to the end of this year for SCA compliance.
Second, any friction that is added to the customer experience could result in cart abandonment, impacting sales, revenues, and customer retention. 26% of shoppers have abandoned their cart mid-purchase because the checkout process was too long or complicated2; and 57% of shoppers will abandon a website if they experience a load time of 3 seconds or longer3. Because of this, companies are understandably nervous about increasing the complexity and impacting the speed of the checkout process, even in the interest of improving security.
While strong customer authentication requirements are far-reaching, there are some exemptions built into SCA under PSD2. These include:
Recurring Orders / Subscriptions
After the initial order, a subscription may be processed without SCA verification.
SCA verification is not required for purchases under €30 – which must be converted for transactions in other currencies.
A payment provider may do a real-time risk analysis, and bypass SCA for transactions that are deemed ‘low risk’. So, for example, if a payment provider and the cardholder’s bank have fraud rates below 0.13%, they qualify for an SCA exemption for purchases under €100. The low-risk transaction exemption is always subject to card issuer approval.
Virtual Card Payments
Transactions conducted with a virtual card may be exempt from SCA; however, these transactions are generally restricted to corporate card and travel payments, and will not impact the majority of Ecommerce transactions.
If a payment process is created between two businesses, and remains the same from one transaction to the next, those transactions may be exempt from SCA requirements.
Strong Customer Authentication, as defined under EU regulations, may have benefits in protecting both individuals and businesses from the harmful effects of Ecommerce fraud. However, businesses should educate themselves about SCA now. Even if a business is not currently conducting transactions in the EU, if SCA is successful at its attempt at Ecommerce fraud prevention it may influence regulations in other areas of the world, including the U.S.