The State of Strong Customer Authentication
Table of Contents
- What Is PSD2?
- What Is Strong Customer Authentication?
- How Does Strong Customer Authentication Work?
- What Are the Drawbacks of Using Strong Customer Authentication?
- Are There Exemptions to the PSD2’s Strong Customer Authentication Mandate?
- How Does Strong Customer Authentication Affect Chargebacks?
- Should Merchants Implement Secure Customer Authentication?
Now that it’s 2021, enforcement has begun for the Strong Customer Authentication mandate of the Revised Payment Services Directive (PSD2). While not every country in the European Economic Area is ramping up enforcement at the same rate, it’s past time for every merchant operating in this region to be set up for full compliance.
While merchants outside of the EU don't have to worry about PSD2, there are good reasons for them to be looking into Strong Customer Authentication as a voluntary protective measure against fraud and chargebacks. What is Strong Customer Authentication, and how can merchants implement it effectively?
What Is PSD2?
PSD2 was passed in 2015 and took effect in September 2019, but the deadline for implementation of the Strong Customer Authentication (SCA) requirement was extended until the end of 2020.
Two of the major requirements of this directive were the mandates on open banking and SCA. The SCA mandate was designed to protect the integrity of electronic payments by making it harder for fraudsters to get away with using stolen credit cards.
While merchants based in the United States and other countries outside of the EEA aren’t required to comply with PSD2 regulations, SCA has long been recommended as a safeguard against fraudulent transactions.
The presence of SCA can also make it harder for friendly fraudsters to convince their issuing banks that their cards were used without their knowledge or authorization. It’s also possible that the EU’s actions with respect to payment security will influence other markets to adopt similar regulations.
What Is Strong Customer Authentication?
The premise of SCA is that the payment credentials tied to a card are not sufficient to authenticate a transaction, and therefore an additional form of authentication is required to authorize a payment. Per the Regulatory Technical Standards of the directive, payments must be authorized using any two of the following:
- Knowledge held by the cardholder, such as a unique code or password.
- Something in the cardholder’s possession, like a smartphone or chipped device.
- A quality inherent to the cardholder, including biometric identifiers like fingerprints.
The PIN-and-chip transactions already standard for card-present merchants in the EU already fulfill these requirements. They require both the chipped card and knowledge of the PIN. Therefore, these new standards are largely for card-not-present purchases.
How Does Strong Customer Authentication Work?
During an SCA-enabled checkout process, a cardholder enters their payment credentials, including their billing address and CVV, and would then be prompted to conduct an additional authentication check, typically via their choice of multiple available methods.
Once that information is furnished, the transaction can be approved and proceed to completion. Transactions that do not pass the second authentication step must be rejected. For most merchants, there’s already an easy way to meet SCA requirements, and that is to enable 3-D Secure.
All of the major card networks offer their own 3-D Secure implementation, and while the authentication methods may vary from issuer to issuer, they will typically involve either sending a one-time code via text message or having the customer's banking app prompt them to confirm the transaction.
Purchases conducted using mobile apps may have additional options, like prompting the customer to scan their fingerprint for verification.
What Are the Drawbacks of Using Strong Customer Authentication?
The amount of friction customers are willing to tolerate depends on a lot of different factors, but it’s possible that some frustration and abandonment will follow when a merchant first starts using SCA.
For merchants in the EU, this is unlikely to be a significant concern, since all other merchants will be implementing the same measures.
In places where SCA is still optional, it's important to understand your customer base to get an idea of how they might react to such a change.
In the United States, for example, merchants serving mostly younger customers likely wouldn't experience a significant increase in card abandonment, since most young people already use two-factor authentication to log in to various online accounts.
Are There Exemptions to the PSD2’s Strong Customer Authentication Mandate?
Merchants in the EU should inquire with their bank or payment platform to see if their transactions may be eligible. Specific exemptions include:
- Mail and phone orders.
- Transactions under €30, with certain limitations for repeat customers.
- Recurring subscription billings and other merchant-initiated transactions, although the initial transaction may require SCA.
- Certain corporate and virtual card payments.
Some cardholders may also have the option to “whitelist” merchants with their issuing bank, exempting those cardholders from having to use SCA when purchasing from that merchant. And to reiterate, the SCA mandate only applies to merchants based in the EU and selling within the EEA.
How Does Strong Customer Authentication Affect Chargebacks?
One recommendation that we frequently give to merchants dealing with true fraud chargebacks is to implement tools like 3-D Secure—a technology that meets all the criteria for SCA.
Before you can determine what tools or processes will actually reduce your chargeback rate and provide a positive ROI, you have to analyze the data behind your chargebacks and identify their root causes.
For merchants dealing with fraud and authorization-related chargebacks, implementing SCA is often a key part of their prevention strategy.
Should Merchants Implement Secure Customer Authentication?
However, laws like the GDPR have shown how influential EU regulations can be over the web as a whole. Merchants everywhere should be prepared for the possibility that they might be required to use SCA in the future.
While the PSD2 doesn’t have the same regulatory reach as the GDPR, it should still help to increase overall familiarity with SCA—and that’s good news for merchants who want to start using some form of it to prevent fraud or chargebacks.
The more customers become exposed to SCA checkout processes, the less likely they’ll be to find it overly disruptive when their favorite merchant decides to implement it.