Within months, we will have a clearer idea of the impact of Strong Customer Authentication (SCA), the regulatory requirement that has seen European merchants gather multi-factor authentication from customers for most online transactions.
This EU directive requires that the customer provides two of three identifying factors—something they know, something they own, or something they are. Exemptions automatically apply for some transactions—for example, those under EUR30, however after five
transactions these will also need to be challenged, or once the total combined value of previous exempted transactions exceeds EUR100. So, there are a lot of factors to be aware of.
SCA delivers greater online security, but it also means additional authentication steps at checkout. Adding even a few more seconds on to the checkout process can mean the difference between a closed sale and an abandoned cart, so which methods should merchants
use?
Below is an overview of the methods of authentication, and possible exemptions that may be sought.
Biometrics: inherence in technology
Biometrics offer a fast solution to the ‘inherence’ factor of multi-factor authentication. Fingerprints, facial recognition, making a short video to confirm identity, and retina scanning are all possibilities. This method is best suited for mobile commerce,
given that smartphones are most likely to have biometric features built in; this method may be popular with seasoned online shoppers. Issuing Banks may adopt this authentication method over time by leveraging their mobile banking apps installed on consumer
devices.
One-time codes
One of the key elements of multi-factor authentication are one off codes. Issuers send a single use code via SMS text message or phone call at checkout, which customers must use to complete a transaction. This method requires that customers have their mobile
number registered with their card issuer, or at least be happy to provide their phone number in order to receive the code. There is also a risk that one-time passwords by SMS may not always be secure, and could potentially be intercepted. One-time codes via
text messaging, along with inherence, may be more suited to mobile commerce than desktop commerce.
There are also, possible exemptions that can be claimed, including whitelisting and TRA.
Whitelisting
Consumers will soon be able to make their own personal ‘whitelists’ of approved merchants, whereby the merchant is recognized as a ‘trusted beneficiary’. This means that after the first SCA challenge at checkout, consumers shouldn’t have to go through SCA
when they buy from the merchant again. Brand loyalty and scale could be a significant factor—major merchants with mass appeal and recognition may find it easier to be whitelisted than a small independent merchant.
Transaction risk analysis (TRA)
For smaller merchants who might not enjoy the brand recognition that could make whitelisting more likely, Transaction risk analysis could represent a good opportunity for merchants to avail of an exemption.
Under the revised Payment Services Directive (PSD2) and SCA rules, if an acquirer’s fraud incidence rate is below a certain percentage, it can apply SCA exemptions, up to prescribed regulatory monetary thresholds, for merchants with a similarly low fraud
incidence rate. For example, as an acquirer, J.P. Morgan has an entity that has a low fraud rate. If merchants have a similarly low fraud rate, merchants can consider applying to process transactions via this entity. Contact your J.P. Morgan representative
to find out more.
Conclusion
The 31 December 2020 deadline in the European Union (14 September 2021 for UK-only transactions) for implementation could have been viewed as an extra burden to deal with. However, we saw it as an opportunity to ensure the most effective security protocols
are in place and to future-proof our merchant clients.
As the industry becomes more mature with regards to Strong Customer Authentication (SCA), we will continue to have a clearer view of the impact and the evolving space of consumer authentication.