The Retailer Spring Edition 2023

THE RETAILER

20

PSD2 AND SCA: WHERE ARE WE NOW - WHAT WILL FOLLOW?

Jon Swan SCA Solution Consultant Accertify

W hat might be next for SCA and similar authentication mandates around the world. In 2016, Card Not Present (CNP) fraud peaked at €1.3 billion in Europe, up from €794 million in 20121. In the UK, losses also jumped from £247.3 million in 2012 to over £500 million in 20182. For financial institutions, merchants, consumers, and regulators, this was unsustainable. CNP fraud losses across the continent were significant and growing. The risks only increased as we lived more of our lives online. The European Commission’s new authentication standard for PSD2 compliance, Strong Customer Authentication (SCA) promised to make transactions more secure, even at the cost of sometimes more complex customer experiences. experience.” ‘‘ SCA for fraud prevention and protection SCA is undoubtedly a game-changing authentication legislation demand ing 2 Factor Authentication (2FA) for relevant transactions and links the authentication processes to a specific value and merchant. But has it achieved the fine balance between security and experience? The early figures on fraud prevention are tentative but promising. According to a European Banking Authority (EBA) discussion paper from last year 3, “the share of fraud in total volume is five times higher for payments authenticated without SCA compared to the payments authenticated with SCA.” CNP fraud rates are significantly lower in regions where SCA is enforced, and on transactions protected by SCA 4. SCA may be reducing fraud but could also be driving a percentage of customers away with the right balance between fraud management and customer experience yet to be found. The rise of 3D Secure (3DS) SCA legislation has driven the wide adoption of 3DS for CNP trans actions, a technical standard that adds an extra layer of security by allowing merchants to route transactions through to an issuing bank for authentication. Authentication is always a balance between security and customer

Properly implemented, 3DS is a strong fraud protection tool but it’s not an invincible one. Fraudsters realise that a reliance on SMS one-time passcodes (OTPs) leaves consumers susceptible to social engineering and they have been quick to capitalise on this. 3DS is also responsible for increased friction in genuine customer journeys, this leads to cart abandonment and customer dissatisfaction. 2019 figures5 found that 30% of CNP payments were lost through 3DS even before SCA drove more widespread use of the technology and in 2021, it was found that abandonment rates through 3DS remained worryingly high 6. Data published by Arcot, a major 3DS service provider, finds that mobile apps have a far higher failure rate than browser journeys. For example, in February 2023, browser based 3DS journeys had a 78% success rate in Europe, while the figure for mobile apps was just 37%7. This suggests a significant compatibility issue surrounding mobile SDK deployments, putting a question mark around SCA’s reliance on 3DS technology. The fraud management balance Although the impact of SCA has so far been mixed it has certainly made a promising start as far as CNP fraud prevention is concerned, with a clear reduction in losses where SCA is enforced. However, heightened security has led to greater friction for customers, and current failure rates – especially those involving mobile apps – are probably unsustainable in the longer term. It seems the perfect balance between keeping consumers secure and engaged is yet to be found. There is a call for further change and greater technological innovation, to avoid arduous bank authentication journeys, unacceptable transaction failure rates and clunky hand-offs. What might be next for SCA and similar authentication mandates around the world? CNP fraud prevention It was clear something had to be done to curb rising rates of CNP fraud beyond Europe and SCA is part of a wider global effort to stamp out online payment theft. India was one of the first to introduce Additional Factors of Authentication (AFA) for online payments in 20098. Australia has recently launched its CNP Fraud Mitigation Framework, which borrows from SCA to some degree9. More regions are likely to follow sooner rather than later and the US Consumer Financial Protection Bureau (CFPB) has been hinting heavily that it wants to see online businesses implement some form of customer authentication10.