Skip to Main Content Skip to Footer Content
Close Search

SCA: How PSPs Can Help Merchants Stay One Step Ahead

SCA How PSPs Can Help Merchants Stay One Step Ahead

The main objective of PSD2’s Strong Customer Authentication (SCA) is to protect customers and reduce fraud by introducing new measures that ensure that customer-initiated transactions are being made by the genuine cardholder.

Unfortunately, this can add friction to the checkout process by adding another step before the customer can complete the transaction. This could prove a major risk to the conversion rate if the right measures aren’t taken by merchants, payment service providers (PSPs) and acquirers to reduce the impact on genuine customers.

Whose liability is it anyway?

From a regulatory perspective, the issuer will own authentication decisions, but the liability for fraud isn’t as straightforward as it seems. For transactions that are subject to SCA, liability usually rests with the issuer or acquirer. It’s important to note that the ability of acquirers to offer exemptions is also determined by adherence to a set of Transaction Risk Analysis (TRA) metrics around overall fraud rates of that acquirer. Breach of these results in all transactions in the acquirer’s portfolio needing to be authenticated until the acquirer consistently brings their fraud rate within the TRA metrics. The message is clear – choose your acquirers carefully.

Issuers and acquirers can choose to apply SCA exemptions for certain transactions, the scope for which is set out in the regulations. Whoever applies the exemption is then liable for that transaction, in the event that fraud occurs. However, in some circumstances where an acquirer applies an exemption, they are also likely to pass – at the very least – the costs back to the merchant.

Without proper attention around exemptions, SCA could potentially have a very negative impact on merchant profitability. Merchants could be saddled with the cost of fraud, passed across from acquirers, not to mention the added friction from the authentication process, which could lead to cart abandonment and damage to customer relationships.

Getting SCA-ready

There are lots of ways that PSPs can help their merchants prepare for SCA. First, merchants can actively seek SCA exemptions and PSPs should help merchants to define the tailored exemption strategies they need for their individual business. For example, PSPs can help merchants define the low-value and low-risk transactions that they wish acquirers to accept unchallenged. This will allow merchants to be better prepared for the exemptions discussions and agreements they need to reach with their acquirers.

But remember, any exemption strategy defined by the merchant must be discussed and ultimately agreed upon with the acquirers. The PSP can provide consistency in the front end for a merchant that uses multiple acquirers; the merchant needs to agree the exemption strategy with the acquirer, but the PSP can facilitate the provision of transactional data and the defining of exemptions for the merchant (especially for low-risk and low-value exemptions).

PSPs need to ensure that merchants can capture and send the acceptable level of transactional and cardholder data that will help secure the exemption — and ensure the transaction passes through the frictionless flow. They must also be able to provide the relevant exemption flag within the transaction.

There is also an opportunity for merchants to become a “trusted merchant,” where a cardholder has successfully applied to have the merchant white-listed with their card issuer. PSPs need to make sure they support the passing of a white-listing/trusted merchant flag to the issuer, to ensure the customer experience (and customer loyalty) isn’t compromised. However, remember an issuer can still override this from time to time and step up to authentication.

Finally, PSPs need to verify that merchants can use a multi-layered fraud prevention solution that helps protect them from fraud, regardless of whether their transactions go through SCA, are exempt, or are out of scope. Merchants still have responsibility for fraud rates and maintaining a consistently low fraud rate is the best way to ensure that the acquirer will support the merchant’s exemption strategy.

How PSPs can help merchants set an exemptions strategy

Merchants and PSPs must be able to control the customer experience through an appropriate exemption strategy — but this strategy must be fully supported by the merchant’s acquirer or acquirers.

There are several areas to consider. If an acquirer’s overall fraud rate becomes too high, they can lose the ability to offer SCA exemptions, meaning that every transaction in their portfolio requires authentication until the acquirer’s fraud metrics are brought under control.

To ensure merchants aren’t caught out by this, PSPs can assist in several ways:

They can help ensure merchants are actively fraud-screening transactions, to keep their fraud rates low so they don’t push the acquirer’s overall fraud rate up.

They can scrutinise and monitor acquirers on behalf of their merchants. For instance, it’s worth knowing what types of merchants the acquirer supports – an acquirer focused on high risk merchants is likely to have much higher overall fraud rates. PSPs can regularly monitor acquirers’ average fraud rates and evaluate the best acquirers by the percentage of exemptions they apply.

They can support multiple acquiring options and can switch traffic to alternative acquirers if an acquirer’s fraud rate increases and they lose their ability to offer exemptions. This will be a vital measure in protecting merchants from unexpected exposure to risk and checkout friction.

The U.K. has now delayed SCA implementation to September 2021, and we await further developments in the EU27 where the EBA has not followed suit and the December 2020 date is still prevailing. Until more is known, PSPs, merchants and acquirers need to prepare for the December 2020 deadline. Whether there’s a further delay or not, SCA is coming.

My strong recommendation, to PSPs and merchants, is to take steps now to be ready, determine exemption strategies that you want, and seek agreement from your acquirers. If your acquirer breaches transaction risk analysis (TRA) metrics, you need to ensure mitigating strategies are in place, for example with alternative acquiring options. When the regulation is finally enforced, you need to be ready to protect your genuine customers — and your business.

 

Visit our SCA Resource Center for MSPs and PSPs