What might be next for SCA and similar authentication mandates around the world.
n 2016, Card Not Present (CNP) fraud peaked at €1.3 billion in Europe, up from €794 million in 20121. In the UK, losses also jumped from £247.3 million in 2012 to over £500 billion in 20182.
For financial institutions, merchants, consumers, and regulators, this was unsustainable. CNP fraud losses across the continent were significant and growing. The risks only increased as we lived more of our lives online.
The European Commission’s new authentication standard for PSD2 compliance, Strong Customer Authentication (SCA) promised to make transactions more secure, even at the cost of sometimes more complex customer experiences.
Authentication is always a balance between security and customer experience
SCA for fraud prevention and protection
SCA is undoubtedly a game-changing authentication legislation demanding 2 Factor Authentication (2FA) for relevant transactions and links the authentication processes to a specific value and merchant.
But has it achieved the fine balance between security and experience?
The early figures on fraud prevention are tentative but promising. According to a European Banking Authority (EBA) discussion paper from last year3, “the share of fraud in total volume is five times higher for payments authenticated without SCA compared to the payments authenticated with SCA.”
CNP fraud rates are significantly lower in regions where SCA is enforced, and on transactions protected by SCA4.
SCA may be reducing fraud but could also be driving a percentage of customers away with the right balance between fraud management and customer experience yet to be found.
The rise of 3D Secure (3DS)
SCA legislation has driven the wide adoption of 3DS for CNP transactions, a technical standard that adds an extra layer of security by allowing merchants to route transactions through to an issuing bank for authentication.
Properly implemented, 3DS is a strong fraud protection tool but it’s not an invincible one. Fraudsters realise that a reliance on SMS one-time passcodes (OTPs) leaves consumers susceptible to social engineering and they have been quick to capitalise on this. 3DS is also responsible for increased friction in genuine customer journeys, this leads to cart abandonment and customer dissatisfaction.
2019 figures5 found that 30% of CNP payments were lost through 3DS even before SCA drove more widespread use of the technology and in 2021, it was found that abandonment rates through 3DS remained worryingly high6.
Data published by Arcot, a major 3DS service provider, finds that mobile apps have a far higher failure rate than browser journeys. For example, in February 2023, browser based 3DS journeys had a 78% success rate in Europe, while the figure for mobile apps was just 37%7.
This suggests a significant compatibility issue surrounding mobile SDK deployments, putting a question mark around SCA’s reliance on 3DS technology.
The fraud management balance
Although the impact of SCA has so far been mixed it has certainly made a promising start as far as CNP fraud prevention is concerned, with a clear reduction in losses where SCA is enforced.
However, heightened security has led to greater friction for customers, and current failure rates – especially those involving mobile apps – are probably unsustainable in the longer term.
It seems the perfect balance between keeping consumers secure and engaged is yet to be found. There is a call for further change and greater technological innovation, to avoid arduous bank authentication journeys, unacceptable transaction failure rates and clunky hand-offs.
What might be next for SCA and similar authentication mandates around the world?
CNP fraud prevention
It was clear something had to be done to curb rising rates of CNP fraud beyond Europe and SCA is part of a wider global effort to stamp out online payment theft.
India was one of the first to introduce Additional Factors of Authentication (AFA) for online payments in 20098. Australia has recently launched its CNP Fraud Mitigation Framework, which borrows from SCA to some degree9.
More regions are likely to follow sooner rather than later and the US Consumer Financial Protection Bureau (CFPB) has been hinting heavily that it wants to see online businesses implement some form of customer authentication10.
New fraud protection tech and consumer authentication
Thankfully innovation is already happening, most notably in the form of two new technologies: Delegated Authentication and Secure Payment Confirmation (SPC).
Delegated Authentication allows merchants to carry out SCA on behalf of issuing banks, avoiding the risk of hand-offs and bank authentication journeys.
Meanwhile, SPC enables issuing banks to put credentials into web browsers, which can be used to initiate device level authentication. The combination of device level credential (possession) and device level authentication (knowledge/inherence) constitutes the two factors needed to satisfy SCA in both these methods.
The authentication arms race
These technologies are central to an efficient authentication strategy for merchants. They promise an improved balance between keeping consumers secure and engaged.
Fraudsters however are never far behind and are already refining their strategies in response to SCA. Online criminals are always finding new ways to improve their social engineering techniques and the enforcement of SCA has only accelerated their efforts.
A prime example of this is iSpoof, a Fraud as a Service (FaaS) application allowing criminals to make calls that appear to come from tax offices, banks, and other legitimate authorities. Fraudsters were using this service to harvest credentials from consumers, such as 3DS One Time Passcodes (OTPs). The UK police recently crashed this operation, uncovering a database of 59,000 fraud suspects11.
While SCA has been an important step forward for those on the right side of the law, as we’ve seen fraudsters are quick to adapt. We believe that innovative new technologies are going to be the driving force behind a move towards stronger and easier authentication.
Learn more about Accertify’s Payment Optimisation solutions here.
Sources
1. European Central Bank
2. UK Finance Annual Fraud Report
3-4. EBA 17/01 22
5. Payments Cards and Mobile 10/11/19
6. Medium.com 07/11/21
7. Arcot Scorecard 02/23
8. Central Bank of India
9. Australian Payments Network
10. Consumer Financial Protection Bureau
11. Action Fraud Website 24/11.22
To find out more about Accertify and the services they provide to the retail industry, click here.
This article was also published in The Retailer, our quarterly online magazine providing thought-leading insights from BRC experts and Associate Members.