How ready for SCA are online businesses?
In 2018, Mastercard surveyed over 300 online merchants and found that 86% of those were not yet SCA compliant, while 75% weren’t even aware of the upcoming legislation.
A May 2019 study by 451 Research found that only 15% of businesses feel ‘extremely prepared’. While many of those who admit to being unprepared are small businesses, the readiness problem is more widespread. According to the research, only 19% of businesses with more than 5,000 employees feel extremely prepared, and only two in five businesses anticipate being SCA compliant prior to September 2019.
There are, at least, indications that online businesses are starting to take note - SCA was a major topic of conversation at fintech and payments events such as Merchant Risk Council London 2019 and Money 20/20.
The potential business impact of SCA
While more businesses are starting to wake up to the implications of SCA legislation, many are still putting measures in place.
Here are four potential long-term impacts of SCA:
1. Conversion rate drop off
For transactions that require authentication, the new legislation means additional steps during the checkout flow. Friction during checkout can greatly increase the likelihood of a potential end customer not completing a purchase. 69% of purchases were abandoned in 2019 and 27% of shoppers who did abandon a purchase did so because the process was ‘too long or complicated’.
While there are exemptions available for certain types of transactions and other general tactics that businesses can implement to reduce checkout friction, SCA will likely result in reduced conversion rates for businesses unable to balance the new security measures with a convenient checkout experience for end customers.
In India, similar legislation saw an ‘overnight’ conversion rate drop of 25% across all affected businesses.
2. The economic impact of SCA
The result of fewer end customers completing purchases due to the new authentication process is expected to have a knock-on effect on the European economy. European businesses stand to lose an estimated €57 billion in the first year after SCA implementation.
3. End customer reimbursements
According to the European Payments Council: “PSD2 foresees that the payer can claim full reimbursement from their PSP in case of an unauthorised payment if there was no SCA measure in place and if the payer did not act fraudulently.”
In practice, this means that where a merchant’s PSP (e.g. a card acquirer) chooses to either rely on an exemption (to not apply SCA) or does not implement SCA at all, they will be liable for any resulting fraud. Where SCA is applied, that liability can be shifted to the party applying SCA - that is, the payer’s PSP (e.g. the card issuer). Where a merchant forces its PSP (e.g. a card acquirer) to apply a specific exemption, there is nothing preventing the PSP and merchant agreeing where liability ultimately sits, and we expect that liability to be passed to the merchant themselves.
Card networks such as Visa have been hard at work updating their rules to reflect these liability provisions.
4. Demand on resources
In the short term, becoming SCA compliant will require product, legal, operations and finance teams in affected businesses to help implement changes. If merchants choose to communicate changes to end customers, it will also require marketing effort for messaging to resonate in the best possible way.
71% of businesses believe the resource burden for implementing SCA is ‘significant’.
How to implement SCA
Who is responsible for implementing SCA?
Businesses taking online payments are not directly responsible for meeting SCA. That responsibility falls to intermediary Payment Service Providers (assuming relevant online transactions fall under that provider’s remit) and to the banks.
To be more precise, the payer’s bank is responsible for ensuring transactions are SCA compliant (and denying transactions that aren’t compliant). To do that, it must collect the authentication information as prescribed in the SCA framework.
However, the bank needs somewhere to collect that information from, which is where the PSPs come in. They must capture the information securely, as part of the payment flow, and then securely pass that information on to the banks using the banks’ secure mechanisms for doing so. The banks then have the final say on whether that particular transaction is compliant.
Whilst it is the responsibility of the PSP to apply SCA, there can be practical difficulties given the degree of control one PSP may have over the activities or compliance of another PSP. Ultimately, each PSP has to ensure its own compliance which could, in some cases, lead to a more draconian approach being taken to SCA by a payer's PSPs than has necessarily happened in the past.
However, the impact of SCA that we have already outlined, including potential conversion drop offs, primarily falls on the shoulders of merchants.
Working with a PSP that is either prepared and proactive about SCA will be critical.
If you want to talk in more detail about SCA and the implications for your payments, we’d be happy to chat.
Updating your checkout flow
The process of complying with SCA means an extra step during the checkout flow. This will be the most obvious change your end customers will see. Depending on the payment method, this additional step may be very obvious or almost unnoticeable. For example, mobile payments already use fingerprint scanning or facial recognition to approve purchases, and these are acceptable ‘inherence’ authentication measures.
As we have already mentioned, SCA will primarily affect credit and debit card transactions. To update your checkout flows for card transactions, 3D Secure 2 (3DS2) - a widely supported method of compliant authentication has already been released.
In a recent article for Forbes, Jordan Mckee, Research Director at 451 Research pointed out that “merchants best able to integrate SCA into their checkout flow and effectively apply exemptions will separate themselves from the pack by minimizing customer impact.”
3D Secure 2
3D Secure (3DS) is a method of authentication first deployed by Visa, made for credit and debit card purchases completed online. End customers are required to provide a password in order to complete the payment transaction. Online businesses typically gain access to 3D Secure through a relevant PSP.
3D Secure 2 (3DS2) is a new version that will meet SCA requirements by introducing authentication requirements e.g. requiring end customers to input a one-time password/passcode or provide biometric authorisation.
The key goal for 3DS2 is to create ‘frictionless authorisation’ even in the face of additional security checks required by SCA. If the transaction is deemed exempt, 3D Secure 2 should bypass these checks. One key improvement compared to the original 3D Secure (3DS) protocol is the ability to carry out the necessary checks without redirecting away from the checkout page.
Potential problems of 3D Secure 2
The original 3D Secure (3DS) was fraught with problems for merchants, including the dreaded conversion drop because of the aforementioned redirects and perceived poor user experience. A study by Ravelin found that 22% of all transaction authenticated using 3D Secure are lost.
While the new version has been designed to minimise the original’s drawbacks, including a better user experience designed for smartphone users, it will require a wider rollout to evaluate whether it has been successful.
3DS2 support and consumer recognition
3D secure 2’s success in managing SCA conversion concerns will hinge on its adoption by both banks and end customers. Despite the impending implementation of SCA, a number of banks have yet to start supporting the 3DS2 protocol.
As for end customers, usage of the original 3DS protocol has been limited in Europe. According to PYMNTS, by late 2017, only 50% of end customers are enrolled and only 25% of transactions are verified.
SCA Regulatory Technical Standards (RTS)
The Regulatory Technical Standards (RTS) of SCA set out the full specifications of exactly what SCA covers and what is expected of all stakeholders. The final version was completed and distributed by the EU Commission in November 2018.
Your customers and SCA
While SCA will undoubtedly have an impact on your business, it will also be a noticeable change for end customers trying to make purchases online. How do they feel about it? Do they even care about added security? Do they know the changes are coming?
Consumer awareness of SCA
Balancing security and convenience
Regardless of awareness, will end customers be willing to lose some of the convenience of online shopping to accommodate the more extensive security checks of SCA? After all, Amazon’s 1-click ordering system was the convenient process that all other checkouts are compared to.
In a study of 4,000 customers across the UK, France, Germany and Spain were asked about their attitudes to both security and convenience when shopping online.
The survey also asked them questions on feelings about certain specific elements of the new SCA requirements, and how increased security at checkout would influence their buying behaviour.
The results uncovered a slight preference for security over conversion, with 58% of shoppers prioritising security.
However, when asked how they would feel if faced with complex security procedures when shopping only, the majority (54%) said they would feel either suspicious or frustrated. Only 39% said they would feel safer.
The survey also showed that attitudes to security and actual buying behaviour may be very different. 41% of those surveyed had previously abandoned an online purchase that was too complex, and nearly a quarter (24%) would go as far as to shop less with their favourite brand if the purchase involved added security measures.
This dissonance in attitudes suggests that what end customers think and how they act are different. They may react positively to the idea of added security, but their actual behaviour, when confronted with SCA, could be very different.
Communicating SCA to your end customers
In the wake of 2018’s GDPR legislation, many end customers saw a barrage of emails from companies informing them of changes to privacy policies. The combined effect was poorly received by end customers and many of the emails were even illegal under GDPR.
The point here is that communicating any major changes to your end customers is fraught with its own set of problems. If you don’t communicate these changes, will they be confused when changes do take effect? If you do communicate SCA, will this create unnecessary concern? It’s also very difficult to communicate the exact nature of any changes when you’re still in the process of implementing new checkout flows and authorisation processes.‹ View table of contents Next page ›