Europe is struggling with SCA after one year of the new regulation. Has the UK learned anything as it begins its new payments era?

With Strong Customer Authentication (SCA) enforcement in its infancy in the UK, there are some valuable lessons to be learned from European countries and merchants who have gone before.

Much of Europe has a one-year jump on the UK when it comes to living with SCA. The early pioneers are finding that the advice dispensed in the SCA  lead-up was worth listening to.

A Signifyd analysis of a relevant subset of transaction data in three countries — Italy, Spain and France — shows that:

  • A year after enforcement started in much of Europe, the state of readiness for SCA varies widely by country.
  • The expert advice to merchants to move off of 3D Secure version 1, was the right advice, but not always heeded.
  • Avoiding SCA requirements through the wise use of exemptions and by keeping fraud rates low is still a key strategy for providing a frictionless customer experience.

To reach these conclusions, Signifyd examined a subset of transaction data from orders subject to 3D Secure review in Italy, France and Spain to determine the effect SCA was having in the three countries. The answer is wildly different depending on the country.

First, a quick refresher. The newly enforced SCA requires that an online shopper verify their identity in two of three ways:

  • Something they know — like a one-time passcode.
  • Something they have — like the mobile device they are ordering on.
  • Something they are — like a digital fingerprint or a facial recognition scan.

Capturing that verification can require a consumer to go through extra steps, sometimes including visiting a second website to complete the required confirmation. That’s where SCA’s main potential for adding friction lies.  

So how has this played out in the real world? Let’s start with Italy, where surprisingly 57.7% of the orders Signifyd studied were processed using 3DS, version 1, the obsolete version of 3DS widely disparaged in the run-up to SCA enforcement. Risk experts urged merchants and banks to upgrade from the old technology, as it was not compatible with aspects of SCA that were designed to limit friction and maintain healthy conversion rates.

3DS version 1, which is 20 years old, does not support SCA exemptions, a key strategy for reducing friction in the checkout experience. It doesn’t accommodate SCA on mobile apps or internet of things devices. It doesn’t support biometrics, the common way to satisfy SCA’s requirement that a customer authenticate by “something they are.”

And so what happens in a country where a large majority of SCA-eligible orders are processed via 3DS version 1?  First, the study showed, only about 70% of 3D Secure orders in Italy were approved. But that’s only part of the story.

In fact, in the study, 42% of Italy’s approved orders were met with significant friction, due to 3DS version 1 reviews, an experience that undoubtedly led to some customer churn. On the decline side, 22% of orders were rejected or abandoned due to 3DS friction or the lack of a customer-friendly SCA strategy focused on avoiding SCA reviews when possible. In the real world, that happens when exasperated shoppers cancel or ignore an SCA step-up challenge; or when an order times out, due to confused consumers or creaky technology that takes too long to process the order.

Ultimately, only 8% of orders in Italy were declined for good reason, such as genuine fraud, invalid credit cards, failed authorisation and other serious red flags. All that means that in the end, barely more than a quarter of orders — 28% — were likely approved with little friction.

It’s fair to say that the picture in Italy is not a pretty one. In a way, Italy serves as an example of what not to do. If we turn to Spain and France, we see that only 16.15% and 3.27% of orders respectively are reviewed via 3DS version 1.

And in Spain, the approval rate of all 3DS reviewed orders was nearly 77%. Of the identified declines in Spain, 2.5% were due to complications with 3DS version 1. Another 2.3% were declined when the cardholder cancelled an SCA challenge and .43% timed out.

During its first year of SCA, France demonstrated itself to be among the best prepared for the new regulation. Its low reliance on the outdated 3DS version 1 helped it achieve an approval rate of more than 77%. The vast majority of its 3DS approved orders — 70.2% were processed through 3DS version 2.1. Another 4.2% were run through 3DS version 2.2 and only 2.5% were approved through 3DS version 1.

The good news in all this for the UK is that its merchants and banks still have time to learn from the lessons of the rest of Europe before doing too much damage to retail’s conversion rate and revenue. Good early steps would be to:

  • Immediately move from 3DS version 1 to the most up-to-date version available. Version 2.2 for instance, supports all versions that came before it and provides some crucial advantages over outdated versions.
  • Talk to all the players in your payment ecosystem and be sure they are as vigilant about updating their 3DS capabilities as you are about updating yours. You need everyone to be on the same page to minimise declines and maximise revenue.
  • Be sure to take advantage of SCA’s exemptions. One way to avoid SCA complications, declines and order abandonment is to avoid SCA in those cases where it is not required.
  • Find the solutions and partners that can keep your fraud rate low. That’s vital to taking advantage of SCA exemptions, which in turn is vital to providing a top-flight customer experience.
  • Make sure your commerce protection partner can provide the tools to steer your transactions down the most economical and efficient checkout path, depending on each order’s characteristics. Be sure your partner isn’t simply providing tools and solutions. Find a partner that can also offer guidance and strategy when it comes to managing the new era of SCA.

To find out more about Signifyd and the services they provide to the retail industry, click here.

This article was also published in The Retailer, our quarterly online magazine providing thought-leading insights from BRC experts and Associate Members.