By Scott Dawson, Director of Operations at Pixxles
Strong Customer Authentication (SCA) has been in force across the U.K. for several weeks. It is the end of a long road that began in 2015 when the European Commission adopted the Second Payment Services Directive (PSD2) proposals.
The U.K. is the last country to fully implement SCA after a string of deadline extensions, but with this final piece in place we can start to look at what SCA does in practice and what merchants can do to build on its foundations.
The Impact of SCA So Far
At its simplest, SCA requires that before a transaction can be processed, a customer must verify themselves with two of the three following pieces of information: something they know (such as a password), something they have (such as a mobile device) and something they are (fingerprints, facial recognition, or even subtle cues like how they type). It does introduce more friction into the payments process but is necessary to prevent fraud.
Despite dire warnings of a third of all transactions being blocked and losses of €100 billion ($110 billion), the roll-out of SCA across Europe has been smooth, and it is likely that the U.K.’s experience will be no different. This is likely to be down to the flexibility built into SCA from the outset: transactions under €30 ($32.75) were exempt, and many merchants will receive exemptions on transactions up to €30 if their acquirer’s fraud rate is below 13 basis points and €250 ($273) if their fraud rate is below 6bps. This encourages acquirers and merchants to be proactive about fraud, since the lowered friction from a lack of SCA challenges will likely translate into more sales.
Despite the increased protection that SCA offers, European e-commerce merchants have seen fraud rates rise as much as 350 percent. This does not mean that it has been a failure—fraud in general increased because of the influx of new shoppers during the pandemic—and it’s possible if SCA had not been implemented the figure could have been far higher.
Fraudsters are smart, and for many their sole source of income is digital crime, so it’s hard to see how introducing an extra element of friction in the form of SCA would make them quit what is often one of the few ways to make a good living in poor countries. This means that SCA should be seen as one of many systems that a merchant should have in place if they want to reduce fraud on their e-commerce site.
Going Beyond Strong Customer Authentication
So, what are merchants’ options for building on the protection that SCA offers while keeping the payment process as frictionless as possible for legitimate customers?
The first is to understand the exemptions process and what level of protection is available to your company. If your fraud rate is already very low, then it might be possible to give your customers a better payment experience by exempting them from SCA. You will need to coordinate this with your acquirer, and may need to consider changing acquirers if your current payments partner can’t offer you enough exemptions (which would also be an indicator that they aren’t doing enough to stop fraud).
The second is to implement security technology that goes beyond SCA. There are a number of systems that use AI and machine learning to spot the signatures of fraud before it gets to the payment stage. Very few fraud attempts are carried out by a human being on a computer—it’s just not economical to carry out one attack at a time when so many fail and the rewards tend to be in the low double digits. Instead, bot networks with increasingly sophisticated and humanlike behavior are used to carry out hundreds of automated attacks simultaneously. This is a powerful tool, but it is also one with a number of flaws, mainly in the way that no matter how well made they are they will always display tell-tale signs they are machines. AI can spot these signs far quicker and with more accuracy than humans, and even when attacks break through machine learning can be used to prevent them from happening again.
Lastly, there is more to fraud than malicious attacks. Ninety percent of merchants say that “cardholder abuse of the chargeback process” is a leading concern for their business. This abuse can be intentional—customers who received a product saying that they didn’t in order to get their money back—or it can be innocent, such as when customers don’t recognize a charge on their card statement and instead of looking into it they ask their card provider for a chargeback. It is possible to put systems in place that can dramatically reduce both malicious chargebacks and unintentional ‘friendly fraud’. Having robust order-tracking systems in place, for example, can cut down on chargeback claims from customers who think that their order has been lost when it is in fact running late.
What’s Next for Fraud Prevention?
The core of fraud prevention is not being satisfied with ‘good enough’. As we have seen, by itself SCA isn’t a silver bullet for fraud, but when combined with multiple anti-fraud systems and a focus on learning more about current threats it can become part of a multi-factor solution.
SCA is just a start, and to keep up with the fraud ecosystem you will need to be continually evolving too.
Scott Dawson, Director of Operations at Pixxles, is a 20-year veteran of the payments and fraud industries. Previously, he was Commercial Director at payments provider Neopay, and has also served in fraud prevention roles at Click and Buy, PSI Holdings and Neteller. Pixxles is a bold new way for e-commerce merchants across the U.K. to accept online payments simply and securely from customers around the world. Its payment processing is effortless, its pricing is transparent, and its service is outstanding, providing value that is second to none.