As a business owner, new rules may appear to be just additional red tape, but they may also provide new opportunities to improve customer service. Strong Customer Authentication (SCA) rules recently adopted by the European Union provide one such opportunity. To increase eCommerce security protocols and prevent online card payment fraud, psd2 strong customer authentication regulation entered into force across the EU.
The Timeline for Strong Customer Authentication
On September 14, 2019, the second Payment Services Directive (PSD2) went into effect in Europe, bringing SCA with it. It was decided that the ultimate date for enforcement would be December 31, 2020. Each country’s response has been unique, taking into account the country’s preparedness and implementation efforts.
The eCommerce and banking sectors in the United Kingdom have each been granted an extension to March 14, 2022. Only 44% of enterprises in online retail and eCommerce are prepared for SCA deployment. While in the UK, 37% of buyers had to switch merchants to finish their orders on e-commerce platforms.
What is the process through which SCA is accomplished?
With the introduction of PSD2 legislation, you’ll need to deploy Strong Customer Authentication if you’re an eCommerce retailer or payment service provider operating in the European Union.
Usernames and passwords are no longer sufficient. SCA must use two out of the three following indicators to authenticate your customer’s identification.
- Knowledge – Something that the consumer is aware of. Ex – PIN or Security Questions.
- Possession – Something that the consumer owns. Ex – OTP or smart card.
- Inherence – Something the consumer is. Ex- Fingerprint or Voice Recognization.
Eliminating Unnecessary Friction
If implemented incorrectly, multi-factor authentication and additional verification stages may slow down the checkout process and cause customer friction, so you’ll need to find a balance between levels of security and a frictionless user experience. A complex authentication procedure can lead to cart abandonment, but a lack of protection for personal data makes customers suspicious.
Back-end data verification and robust consumer authentication ensure that most online transactions will go through without the user even realizing they are being authorized. A verification step may lead some customers to abandon their shopping carts, but this is unlikely.
Offering many means for users to authenticate their identity can help reduce this churn. Customers are less likely to become frustrated when their one-time pass codes aren’t sent because they may receive them by SMS or voice, thanks to the increased flexibility and dependable transmission of verification codes via a robust network.
Payments that are initiated through the internet are referred to as “remote payment transactions.” With “dynamic linkage,” TPPs must correlate each transaction with the payment value and recipient mentioned in the transaction to further safeguard SCA members.
It’s done by using an authorization number or token that the TPP produces for the customer. The validation code is invalidated if the recipient or the total amount payable is altered, and a new one is needed to complete the transaction.
For example, if a customer purchases groceries online, the whole cost of the items in their cart, including all relevant taxes and fees, must be clearly stated. Furthermore, the customer must know which grocery store is receiving this money. After supplying this information, they can next use a code to approve the transaction. An authorization code must be generated for each change made before the TPP will allow the transaction to proceed.
Exceptions to the SCA
An individual customer may be exempt from SCA under several conditions under PSD2. Payment service providers may ask for exemptions while processing client transactions. Several factors must be taken into consideration when a customer’s bank receives a request for a waiver of authentication requirements.
The SCA does not include the following:
- Online low-risk transactions
To assess if SCA should be applied to a transaction, a payment provider can look at the fraud rates of the customer’s account and the payment provider’s account under PSD2. Banks are required to stick to exemption threshold levels to avoid having to take the additional step.
- Recurring payments
SCA can be avoided if you pay your subscriptions on a regular basis. First-time customers may be asked to authenticate their identity using SCA as part of the transaction. After that, SCA is no longer obligated to make further payments in a row.
- Merchant banks’ transactions
Customers periodically utilize their saved credit cards to make purchases. When this occurs, merchant banks are able to begin accepting payments immediately. SCA does not apply to this kind of transaction.
- Payouts made by companies
There is no charge for payments made with cards that have been filed with the SCA. An online travel company that uses a company credit card to handle employee travel expenditures is not permitted to participate in the SCA.
A digital security solution can make it simple to perform SCA, which is one of the most crucial processes in safeguarding any digital platform.