It’s safe to say this past year or so has been a rollercoaster ride, with twists and turns that aren’t slowing down. With the pandemic and Brexit, we’ve all been kept on our socially distanced toes. And now — more changes are coming for retailers.

The latest challenge coming down the pike, for those in the UK, is the enforcement of Strong Customer Authentication (SCA). After much delay, it’s set to hit the UK shores on 14, September. So, how do retailers prepare themselves?

It’s not too late to get your SCA game on, so stick with us here. First off, The Payment Service Directive 2 (ie. PSD2) is a far-reaching payment regulation covering online transactions for businesses in the European Economic Area. The EU first passed SCA five years ago as part of PSD2 to better protect customers and merchants from online fraud. Its original September 2019 enforcement date was pushed back while complications and kinks were ironed out.

In short, SCA requires a stringent two-factor authentication to approve online transactions, which must be authenticated by two out of these three:

  • Something the user knows - like a passcode
  • Something they have - like a mobile phone
  • And something the user is - fingerprints, facial recognition etc.

So how can UK brands and merchants prepare for the new regulatory environment? Here are five tips:

1   Believe

You need to move from denial into action and develop a growth mindset. Enforcement of SCA is coming so it’s time to do what you need to do to get prepared. Mantras, meditation and graffiti around the house — enforcement is on the way! If you’re not prepared, you’ll be saying goodbye to good customers.

Exemptions can make the difference in whether SCA is a manageable aspect of your business.

2   Become a Ph.D in 3DS

Not all 3D Secure is created equally. Whilst EMVCo’s 3D Secure is the standard protocol to authenticate online credit and debit purchases, the version that many retailers use is not up to the task.

Version 1 of the backbone of SCA is leading to abandonment rates of 25%-plus. Before SCA, these figures were in the single-digit percentages. Not to mention the long authentication process required — between one and two minutes — a long time in this instant world where people just aren’t prepared to wait. Customers also get frustrated with two-factor authentication and are prone to give up halfway through the process. In fact, 46.5% of consumers surveyed said they were somewhat or very likely to give up on a transaction requiring two-factor authentication, according to polling conducted for Signifyd by market researcher Upwave.

What’s needed is the upgraded 3D Secure 2.2. If you believe a transaction is exempt and your bank doesn’t, it allows for a soft decline or an appeal (which V.1 cannot do). V.2 is also mobile-ready — a key to conversion, given the huge number of orders placed on mobile.

3   Mind your fraud rate

3D Secure 2.2 can also much better accommodate exemptions allowed by SCA. These can make the difference in whether SCA is a manageable aspect of your business. SCA relies on another abbreviation: TRA. TRA, or Transaction Risk Analysis, is your new best friend, as it allows for exemptions if you maintain very low fraud rates.

With an exceedingly low fraud rate of .01% or below, low-risk purchases under €500 are exempt; fraud rates of .06% and .13% will allow exemptions for low-risk purchases under €250 and €100 respectively.

All this to say, if you keep your fraud rate low and if the vast majority of your transactions involve low order values, SCA might not affect you as much as you thought. Except ...

4   Get into your service provider’s business

TRA scrutinizes your payment service provider’s fraud rate as well as your own. Yes, your PSP needs to maintain the same low rates for you to take advantage of TRA. The PSP that handles your credit card transactions needs to take fraud as seriously as you do and you need to be on the same page.

“You need to move from denial into action. SCA is coming. It’s time to do what you need to do”.

So it follows that, based on point No. 3, that your fraud rate is important and knowing what that is and how to affect it is paramount. The tricky juggling act comes with the fact that you don’t want to add friction to the buying experience in order to avoid fraud. Choose wisely, then, when selecting a fraud solution. 

5   Know where your customers are coming from

Know thy customer. Or at least where they’re from. There’s such a thing as the curiously named “one leg out” exclusion. This is where, in order to be subject to SCA, the shopper’s card issuing bank and the merchant’s acquiring bank must both be in the European Economic Area. So if a large number of your transactions come from outside the EEA, it’s likely that those transactions are not subject to SCA and the new regulation may not impact you as much as first thought. You still need SCA for those orders not subject to this exclusion.

So there you have it — implement these five key pointers as soon as you can and as best you can and you can keep on the right side of the changing legislation. It can be tricky, but keeping ahead of the game (or at least not falling behind) will mean you don’t fall foul of the regulation while still providing the most seamless SCA journey for your customers.

Shagun Varhney, Signifyd Senior Product Manager, Payment Solutions, is a banking and payments expert with a deep knowledge of SCA regulation and its impact on commerce and commercial banking.

To find out more about Signifyd and the services they provide to the retail industry, click here.

This article was also published in The Retailer, our quarterly online magazine providing thought-leading insights from BRC experts and Associate Members.