- Thierry Spanjaard
SCA becomes BAU: Business as Usual
Standardization has been ongoing in payments already for decades. Each standardization step is meant to make payments faster, more seamless, more integrated, etc. but at the same time, the need for more security, which aims at discouraging fraud, leads to making payments more difficult for legitimate users.
Commerce is evolving leading payment systems to evolve too. For instance, according to “The Global Retailer’s Handbook” published by Checkout.com, a cloud-based payment solutions provider, 81% of consumers say that the future of retail is online (up from 75% in 2021). The study shows that across the US and Europe, consumers possess increasingly positive sentiments about the benefits of shopping online and utilizing new digital payment methods. Merchants invested heavily in eCommerce and digital infrastructure during the pandemic.
The enforcement of the PSD2 (Second Payment Services Directive) in Europe, which led to the replacement of 3-D Secure by SCA (Strong Customer Authentication) is a perfect example of payment being made more secure at the expense of user friendliness. The principle of SCA is that a user should be authenticated thanks to a combination of two among these three factors: something they know, such as a password or a PIN, something they own, such as a handset, a wearable or a token, and something they are, such as a fingerprint, facial recognition, etc.
The challenge for the payment industry is always to make new processes accepted by consumers. Checkout.com reports that 88% of European merchants have seen a positive effect on cart abandonment from SCA, while up to 92% of online transactions in leading markets such as the UK, Germany and France now employ security methods that involve SCA, according to Payments Cards & Mobile.
We all know that fraud evolves as fast as we are setting security policies. We witness now the arrival of synthetic ID fraud, in which consumer identities are stolen and patched together to create fake profiles, and account takeover, in which the customer’s login details are stolen and passwords changed.
There are exceptions to SCA: for small amounts (below EUR 30), recurring transactions to the same beneficiary, payment to a trusted beneficiary, and based on Transactional Risk Analysis (TRA). Merchants have got to play with these exemption cases to manage their risk while reducing friction for consumers.
SCA has proved efficient. The EBA, European Banking Authority, reports that EU-based issuers reported a 50% fall in fraudulent transactions, from 0.12% to 0.06%, while EU-based acquirers reported a 40% fall in fraudulent transactions, from 0.17% to 0.10%.
While 3DS (3D-Secure) was an international standard as it was imposed by Visa, Mastercard and American Express on the payment stakeholders, SCA is a European standard, developed by the European Central Bank and enforced by the European Commission. However SCA rules apply not only to the EU, but to the European Economic Area, which, besides the EU members includes Iceland, Liechtenstein and Norway; same rules also apply in Switzerland.
The success of a rule, or to be more specific a large set of complex rules, makes it attractive: now, the US, Canada, Brazil, Australia, New Zealand, UAE, Hong Kong, Malaysia and Singapore all have plans to enforce requirements for additional authentication factors in Card-Not-Present transactions.