Strong Customer Authentication

Table of Contents

  1. What Is PSD2?
  2. What Is Strong Customer Authentication?
  3. How Does Strong Customer Authentication Work?
  4. What Are the Drawbacks of Using Strong Customer Authentication?
  5. Are There Exemptions to the PSD2’s Strong Customer Authentication Mandate?
  6. How Does Strong Customer Authentication Affect Chargebacks?
  7. Should Merchants Implement Secure Customer Authentication?

Now that it’s 2021, enforcement has begun for the Strong Customer Authentication mandate of the Revised Payment Services Directive (PSD2). While not every country in the European Economic Area is ramping up enforcement at the same rate, it’s past time for every merchant operating in this region to be set up for full compliance.

While merchants outside of the EU don't have to worry about PSD2, there are good reasons for them to be looking into Strong Customer Authentication as a voluntary protective measure against fraud and chargebacks. What is Strong Customer Authentication, and how can merchants implement it effectively?

What Is PSD2?

PSD2 is an EU Directive creating standards for the payments industry in the European Economic Area. Its aims are to improve security for online and cross-border payments and to promote innovations in online and mobile payments technology.

PSD2 was passed in 2015 and took effect in September 2019, but the deadline for implementation of the Strong Customer Authentication (SCA) requirement was extended until the end of 2020.

Two of the major requirements of this directive were the mandates on open banking and SCA. The SCA mandate was designed to protect the integrity of electronic payments by making it harder for fraudsters to get away with using stolen credit cards.

While merchants based in the United States and other countries outside of the EEA aren’t required to comply with PSD2 regulations, SCA has long been recommended as a safeguard against fraudulent transactions.

The presence of SCA can also make it harder for friendly fraudsters to convince their issuing banks that their cards were used without their knowledge or authorization. It’s also possible that the EU’s actions with respect to payment security will influence other markets to adopt similar regulations.

What Is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a requirement that mandates the use of multi-factor authentication in all electronic transactions. The requirement was created as part of the EU Revised Directive on Payment Services (PSD2) and applies to payment service providers in the European Economic Area.

The premise of SCA is that the payment credentials tied to a card are not sufficient to authenticate a transaction, and therefore an additional form of authentication is required to authorize a payment. Per the Regulatory Technical Standards of the directive, payments must be authorized using any two of the following:

  • Knowledge held by the cardholder, such as a unique code or password.
  • Something in the cardholder’s possession, like a smartphone or chipped device.
  • A quality inherent to the cardholder, including biometric identifiers like fingerprints. 

The PIN-and-chip transactions already standard for card-present merchants in the EU already fulfill these requirements. They require both the chipped card and knowledge of the PIN. Therefore, these new standards are largely for card-not-present purchases.

How Does Strong Customer Authentication Work?

Strong Customer Authentication requires the use of two-factor authentication to authorize electronic transactions. For card-not-present transactions, this typically involves a one-time password, app notification, or biometric authentication in addition to the payment credentials.

fraud Prevention- Proven Strategies to prevent e-commerce fraud During an SCA-enabled checkout process, a cardholder enters their payment credentials, including their billing address and CVV, and would then be prompted to conduct an additional authentication check, typically via their choice of multiple available methods.

Once that information is furnished, the transaction can be approved and proceed to completion. Transactions that do not pass the second authentication step must be rejected. For most merchants, there’s already an easy way to meet SCA requirements, and that is to enable 3-D Secure.

All of the major card networks offer their own 3-D Secure implementation, and while the authentication methods may vary from issuer to issuer, they will typically involve either sending a one-time code via text message or having the customer's banking app prompt them to confirm the transaction.

Purchases conducted using mobile apps may have additional options, like prompting the customer to scan their fingerprint for verification.

What Are the Drawbacks of Using Strong Customer Authentication?

The main downside of SCA is that it introduces an additional layer of friction to the checkout process, and this is known to cause customers to abandon their shopping carts and give up on making a purchase.

The amount of friction customers are willing to tolerate depends on a lot of different factors, but it’s possible that some frustration and abandonment will follow when a merchant first starts using SCA.

For merchants in the EU, this is unlikely to be a significant concern, since all other merchants will be implementing the same measures.

In places where SCA is still optional, it's important to understand your customer base to get an idea of how they might react to such a change.

In the United States, for example, merchants serving mostly younger customers likely wouldn't experience a significant increase in card abandonment, since most young people already use two-factor authentication to log in to various online accounts.

Are There Exemptions to the PSD2’s Strong Customer Authentication Mandate?

Some transactions may be exempt from the SCA requirement, including low-value transactions and recurring billing charges. Acquirers are responsible for determining when these exemptions apply.

Merchants in the EU should inquire with their bank or payment platform to see if their transactions may be eligible. Specific exemptions include:

  • Mail and phone orders.
  • Transactions under €30, with certain limitations for repeat customers.
  • Recurring subscription billings and other merchant-initiated transactions, although the initial transaction may require SCA.
  • Certain corporate and virtual card payments.

Some cardholders may also have the option to “whitelist” merchants with their issuing bank, exempting those cardholders from having to use SCA when purchasing from that merchant. And to reiterate, the SCA mandate only applies to merchants based in the EU and selling within the EEA.

How Does Strong Customer Authentication Affect Chargebacks?

SCA makes it almost impossible for fraudsters to use stolen payment credentials, preventing most true fraud chargebacks. In addition, banks are much less likely to grant chargebacks to customers in cases of friendly fraud when SCA was used.

New call-to-actionWhile SCA doesn't eliminate the possibility of friendly fraud, it does make it much harder for cardholders to simply claim that they never authorized the transaction.

One recommendation that we frequently give to merchants dealing with true fraud chargebacks is to implement tools like 3-D Secure—a technology that meets all the criteria for SCA.

Before you can determine what tools or processes will actually reduce your chargeback rate and provide a positive ROI, you have to analyze the data behind your chargebacks and identify their root causes.

For merchants dealing with fraud and authorization-related chargebacks, implementing SCA is often a key part of their prevention strategy.

Should Merchants Implement Secure Customer Authentication?

Merchants who still have the option of choosing whether or not to implement SCA should weigh its benefits against the potential loss of revenue that the added checkout friction may cause.

However, laws like the GDPR have shown how influential EU regulations can be over the web as a whole. Merchants everywhere should be prepared for the possibility that they might be required to use SCA in the future.

While the PSD2 doesn’t have the same regulatory reach as the GDPR, it should still help to increase overall familiarity with SCA—and that’s good news for merchants who want to start using some form of it to prevent fraud or chargebacks.

The more customers become exposed to SCA checkout processes, the less likely they’ll be to find it overly disruptive when their favorite merchant decides to implement it.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:

Get the guide, Chargebacks 101: Understanding Chargebacks & Their Root Causes

Ready to Start Reducing Chargebacks?