Akil Downes, Commercial Director at Checkout.com explains how online retailers can increase the chances of a frictionless checkout under SCA.
Over the past year, UK and European consumers and retailers have been getting used to extra security checks when they shop or bank online. Known as Strong Customer Authentication (SCA), these checks aim to make digital transactions more secure and reduce the risk of fraud.
It hasn’t been long since the regulatory requirements to apply SCA were fully implemented in the UK, and retailers have rightly been concerned about the impact on conversion and revenue. We examine how retailers can turn SCA from a box-ticking compliance exercise into a source of competitive advantage.
The experience so far
Since SCA rules came into effect, the retailer and consumer experience has been mixed. “Each merchant will experience it [SCA] slightly differently based on the nature of their business,” said Dean Jordaan, Director of Payments at Microsoft, speaking during a recent Checkout.com webinar.
And, while the authentication technology — 3DS — has been improving with the goal of enhancing the overall experience of SCA, this does not necessarily mean that the results are being felt by the industry in practice.
“You introduce something new into the payments industry, and it takes time for the full ecosystem to develop a maturity around a new capability,” said Jordaan.
This is a view shared by Oliver Steeley, Head of Payments at Marks & Spencer. Speaking at the same Checkout.com webinar, he said: “Our experience is that a good implementation of 3DS 2.1 is probably delivering better results than an average implementation of 2.2. We’re not really seeing issuer take-up of all the features within [version] 2.2 yet – it will take a little while.”
As a result, Marks & Spencer has seen differences in SCA acceptance rates between credit and debit cards, and between mobile-centric and more traditional card issuers.
The four main exemptions for ecommerce businesses are:
- Transaction Risk Analysis (TRA): When transactions are considered to have a low fraud risk based on the average fraud level of the payment service provider processing the transaction.
- Low-value transactions: For payments less than £25, up to a maximum of five transactions or a cumulative limit of £85 since the cardholder's last successful authentication.
- Trusted beneficiaries: When customers add sellers to a list of trusted beneficiaries held by their issuer. Sometimes known as ‘white listing’, this exemption is useful for regular customers as SCA is only required for the first transaction to set up the exemption.
Devising an SCA strategy
So, what are the key considerations for online retailers when devising an SCA strategy? And where do exemptions fit in? Clearly, an SCA strategy should reflect the retailer’s business, risk profile, industry sector, customer base, and trading split across countries, channels and value bands.
Not every transaction requires SCA. As many as half of all ecommerce transactions could be out of scope if certain criteria are met, according to estimates from Visa. These include mail order/telephone order payments, anonymous prepaid card payments, transactions where either the card issuer or acquirer is outside the EEA, and merchant-initiated transactions, such as installment, recurring and delayed payments.
There are also SCA exemptions, including under transaction risk analysis (TRA) rules where acquirer fraud rates remain low, trusted beneficiary payments where customers ‘white list’ sellers with their card issuers, and low-value transactions.
It’s critical for retailers to understand customer journeys in the context of SCA, and to identify and correctly flag out-of-scope transactions and exemptions. This helps prevent unnecessary SCA challenges and possible declines for a more frictionless checkout.
The main out-of-scope scenarios for remote transactions include:
- Merchant initiated transactions (MITs): This is a large group of transactions, including recurring, installment or prepaid payment, credential on file, delayed charges and reauthorizations, amongst others. SCA may be required to set up such arrangements, mainly if initiated through a remote channel. However, once in place, merchants may initiate subsequent payments without applying SCA requirements.
- Mail order/telephone order: Payments made by mail order or over the phone fall outside the scope of SCA.
- One leg out: When either the card issuer or acquirer are outside the EEA – for example, when a card issued in Japan is used at the website of a German merchant. Authentication should be applied on a best-effort basis, but issuers must not decline one-leg-out authorization requests if they are out of scope.
- Anonymous transactions: For example, prepaid gift cards issued without an identifiable cardholder name.
Customer comms and payment relationships
In practical terms, retailers are also reviewing their customer communications on the front end, as well as their payment relationships on the back end. For example, Marks & Spencer has changed the way in which it presents payment options to customers.
“If you’re paying on a device that supports Apple Pay, you may be presented with this as your default in a way that maybe you weren’t before. If your authentication abandons, you may get an email from us that we perhaps wouldn’t have sent before,” explained Steeley.
When it comes to payment partners, in the past retailers may have chosen an acquirer based on their transaction success rates or pricing. Nowadays other factors are in play. That’s because acquirers must have a sufficiently low fraud rate across their portfolio to offer merchants a TRA (low fraud rate) exemption.
“We’re thinking slightly differently about orchestration at the back end. And about whether we’ve got the right partners for the acquiring and gateway journey. Never before have we really thought about the acquirer fraud rate and what that means for us. It does create a different dynamic in the acquiring market,” concluded Steeley.
What does this mean for retailers?
SCA has the potential to reduce ecommerce card fraud in the same way that chip and PIN reduced cardholder present fraud. It offers a layer of protection against the fraudulent use of accounts. And shifts liability from retailers to card issuers in most cases. Leaning into it puts retailers in the driver’s seat.
However, there’s a balance to be struck between minimizing fraud losses and operational costs, optimizing the customer experience and maximizing revenue. No one says this is easy. But the good news is there is no one right way to balance these factors or devise an SCA strategy.
Each retailer can tailor and tweak their SCA approach for competitive advantage, depending on their own circumstances. And they should be able to draw on the local knowledge, experience and expertise of their payment partner to do so.
To find out more about Checkout.com and the services they provide to the retail industry, click here.
This article was also published in The Retailer, our quarterly online magazine providing thought-leading insights from BRC experts and Associate Members.