As the end of 2020 draws near, banks and payment service providers in the European Union face yet another PSD2 deadline. Full enforcement of the much-debated Strong Customer Authentication (SCA) across the region will begin from January 1, 2021*. This implementation comes under extraordinary circumstances caused by the pandemic. Much of Europe has moved into another phase of lockdowns, causing a shift in shopping behavior from brick-and-mortar to digital. The change in purchasing habits has also brought in several first-time online shoppers.
As the end of 2020 draws near, banks and payment service providers in the European Union face yet another PSD2 deadline. Full enforcement of the much-debated Strong Customer Authentication (SCA) across the region will begin from January 1, 2021*. This implementation comes under extraordinary circumstances caused by the pandemic. Much of Europe has moved into another phase of lockdowns, causing a shift in shopping behavior from brick-and-mortar to digital. The change in purchasing habits has also brought in several first-time online shoppers.
The questions that are top of mind for merchants, payment processors, and banks are:
- Are we SCA-compliant?
- How can we ensure high transaction success rates while enforcing multi-factor authentication?
- Have we done enough to ensure very low fraud levels to be eligible for higher SCA exemptions?
There are widespread concerns about SCA implementation resulting in transaction declines and creating friction in the payment experience. A combination of 3DS2 and mobile-intelligence-based identity resolution could be the solution to several of these challenges.
SCA Compliance Challenges
While SCA’s fundamental principle is to enhance the security of payment transactions through multi-factor authentication (MFA), it indirectly creates barriers to a smooth consumer purchase experience. Multi-factor authentication (MFA) follows the principle of using multiple user inputs to approve sensitive transactions. These factors are:
- Knowledge: Something that a user knows, e.g., PINs and passwords
- Possession: Something that a user has, e.g., a device, a token (could be hardware or software)
- Inherence: Something that the user is, e.g., biometrics, behavioral characteristics
SCA mandates the use of at least two of the three factors above for all online transactions that exceed certain exemption thresholds (less than or equal to €30 or a cumulative total greater than €100 for unauthenticated transactions). In addition, fraud rates for specific transaction categories as prescribed by the directive’s Transaction Risk Analysis rules determine the eligibility for higher exemption thresholds of up to €500. The onus of performing this risk analysis lies with the issuing and acquiring banks. Given these strict conditions, many digital transactions are likely to breach the exemption threshold and are bound to be challenged with stronger authentication.
Suffice to say that it is in banks and payment processors’ interest to qualify for higher exemption thresholds and ensure higher approval rates without the need for step-up authentication.
SMS-based one-time passwords (OTPs) are arguably the most preferred mode of strong authentication, followed by biometrics considering their ubiquity on mobile devices. A combination of the two is emerging as the most common method of SCA compliance. However, the fact that many consumers do not have their mobile numbers updated in their banking records is likely to complicate SCA implementation. The outcomes are expected to be higher transaction decline rates and an overall erosion of user experience.
All participants in the payments value chain, such as merchants, payment service providers, and issuing & acquiring banks, need to mitigate this issue actively.
A slowdown in cross-border commerce within the region and lack of resources forced by the pandemic negatively impacted compliance efforts during most of 2020. In May, representing consumers, merchants, and other participants in the ecosystem, Payments Europe requested the European Banking Association and the National Competent Authorities to extend the deadline, citing unsatisfactory readiness. In Oct, an Amadeus survey concluded that only a third of the travel industry would be able to meet the current deadline.
An Optimal Solution Using Phone-Centric Identity™ and 3DS2
Is there a way to achieve all aspects of SCA compliance without having to sacrifice transaction completion rates and customer experience? The answer lies in how data can be best leveraged to make an effective transaction-level risk assessment.
The main focus of organizations falling under the purview of PSD2 should be to minimize the need for SCA by fully leveraging all provisions in the directive that allow exemptions. At the same time, transactions, where SCA is invoked, must remain frictionless from a user experience perspective.
There are two broad paths that banks (both acquiring and issuing) and merchants should take to ensure the optimal balance between security and user experience:
- Support 3DS2 protocol in their workflows to ensure compliance and yet retain a smooth purchase experience
- Reinforce identity authentication using mobile intelligence to establish identity
3DS2 to Drive Frictionless and Modern Authentication Experiences
The 3DS2 protocol is an upgrade from 3DS1, which has been in existence for the last two decades. Designed to remove friction from the payments flow, 3DS2 collects and transports 10X more data and supports in-app authentication. In the past, the absence of granular data prompted most issuers to err on the side of caution and decline genuine transactions. With far more data available to assess the authenticity of a transaction and its initiator, 3DS2 can reduce the volume of false declines dramatically.
According to VISA, the adoption of 3DS2 can reduce cart abandonment by 70% and reduce checkout time by 85%.
3DS2 also removes consumers’ need to pre-register their cards and credentials, which is a common barrier to clean transaction approvals. 3DS2 is also designed for mobile-first experiences. This means that additional inputs required from the consumer in the form of a one-time password or a biometric scan can be completed in-app without the need for clumsy redirections, as was the case with 3DS1.
In summary, the design of 3DS2 makes the implementation of two types of payment transaction flows possible, both fully compliant with PSD2 SCA norms:
- A ‘frictionless’ flow without stepped-up authentication for transactions not requiring an SCA and
- A ‘challenge’ flow that requires strong authentication while retaining a native in-app experience
Reinforcing Authentication Using Mobile-Related Parameters
A recent study by Prove establishes how MFA-protected FinTech transactions carry 2X higher risk than the average risk level across all industry verticals. One of the most significant contributors to this low level of trust is the risk of SIM swap-related fraud. SIM swap is now a standard modus operandi of fraudsters to steal identity, and it can go undetected despite having step-up authentication in place. The eventual outcome is potentially higher fraud levels despite SCA compliance.
Higher fraud rates would imply a higher number of transactions being subject to step-up authentication. Therefore, banks must have a robust risk-scoring model to ensure stringent fraud assessment while minimizing false declines and maximizing transaction approvals.
Mobile device and carrier data-related intelligence play a vital role in this reinforcement. This model may analyze behavioral and phone intelligence signals to measure the fraud risk and identity confidence of a potential transaction. Such an approach will thwart SIM swap fraud and other account takeover schemes. It can keep SCA-invoking fraud levels well below the regulated thresholds, thereby making acquirers and issuers eligible for higher SCA exemptions.
Conclusion
Successful and non-disruptive compliance with PSD2 SCA is all about maintaining the optimal balance between security and frictionless user experience. 3DS2, in combination with risk analysis augmented by mobile intelligence, is an optimal solution for compliance. At the same time, it ensures that the purchase experience is frictionless, and the incidence of stepped-up authentication for payment transactions is kept at a minimum. Merchants would like to ensure higher transaction approval rates without stepped-up authentication and thereby lesser purchase abandonment. It is imperative that acquiring and issuing banks have the best transaction risk analysis infrastructure in place to meet the desired objectives of both merchants and consumers.
For more information on fulfilling SCA through 3DS2 and phone-centric identity, click here.
*With the exception of France and the UK, which have an extended deadline until March 2021 and September 2021, respectively.
Keep reading
AI tools can autonomously generate threat detection queries, sift through vast amounts of data, and pinpoint potential threats without manual intervention.
Deepfakes, while not entirely new, have reached a level of sophistication that challenges businesses that are trying to deliver frictionless digital onboarding to their users.
The Federal Trade Commission (FTC) received reports of a significant increase in SIM swap attacks in 2023, and Experian's 2024 scam forecast identified SIM swapping as one of the top threats, emphasizing the need for heightened awareness and preventive measures.
