Last editedApr 20236 min read
Everything you need to know about preparing for SCA and protecting your all-important conversion rates.
How ready for SCA are online businesses?
A May 2019 study by 451 Research found that only 15% of businesses felt ‘extremely prepared’. While many of those who admit to being unprepared are small businesses, the readiness problem is more widespread.
Research from Checkout.com now shows that in 2021, 90% of European issuers have completed their upgrades to 3DS2, the latest version of which is compliant with SCA.
With delays to the SCA deadline comes more time for businesses and issuers to prepare. However, as pointed out by Louise Beaumont, co-chair of the Open Banking Working Group, companies that require the extension to get their business ready may look like they’re not doing as much as those that are already compliant.
The potential business impact of SCA
While more businesses are starting to wake up to the implications of SCA legislation, many are still putting measures in place.
Here are four potential long-term impacts of SCA:
1. Conversion rate drop off
For transactions that require authentication, the new legislation means additional steps during the checkout flow. Friction during checkout can greatly increase the likelihood of a potential end customer not completing a purchase. 69.8% of purchases were abandoned in 2019 and 17% of shoppers who did abandon a purchase did so because the process was ‘too long or complicated’.
While there are exemptions available for certain types of transactions and other general tactics that businesses can implement to reduce checkout friction, SCA will likely result in reduced conversion rates for businesses unable to balance the new security measures with a convenient checkout experience for end customers.
2. The economic impact of SCA
The result of fewer end customers completing purchases due to the new authentication process is expected to have a knock-on effect on the European economy. Some reports suggested that SCA measures could block one-third of European transactions, with the cost to merchants in excess of €100 Billion.
3. End customer reimbursements
According to the European Payments Council: “PSD2 foresees that the payer can claim full reimbursement from their PSP in case of an unauthorised payment if there was no SCA measure in place and if the payer did not act fraudulently.”
In practice, this means that where a merchant’s PSP (e.g. a card acquirer) chooses to either rely on an exemption (to not apply SCA) or does not implement SCA at all, they will be liable for any resulting fraud. Where SCA is applied, that liability can be shifted to the party applying SCA - that is, the payer’s PSP (e.g. the card issuer). Where a merchant forces its PSP (e.g. a card acquirer) to apply a specific exemption, there is nothing preventing the PSP and merchant agreeing where liability ultimately sits, and we expect that liability to be passed to the merchant themselves.
Card networks such as Visa have been hard at work updating their rules to reflect these liability provisions.
4. Demand on resources
In the short term, becoming SCA compliant will require product, legal, operations and finance teams in affected businesses to help implement changes. If merchants choose to communicate changes to end customers, it will also require marketing effort for messaging to resonate in the best possible way.
How to implement SCA
Who is responsible for implementing SCA?
Businesses taking online payments are not directly responsible for meeting SCA. That responsibility falls to intermediary Payment Service Providers (assuming relevant online transactions fall under that provider’s remit) and to the banks.
To be more precise, the payer’s bank is responsible for ensuring transactions are SCA compliant (and denying transactions that aren’t compliant). To do that, it must collect the authentication information as prescribed in the SCA framework.
However, the bank needs somewhere to collect that information from, which is where the PSPs come in. They must capture the information securely, as part of the payment flow, and then securely pass that information on to the banks using the banks’ secure mechanisms for doing so. The banks then have the final say on whether that particular transaction is compliant.
Whilst it is the responsibility of the PSP to apply SCA, there can be practical difficulties given the degree of control one PSP may have over the activities or compliance of another PSP. Ultimately, each PSP has to ensure its own compliance which could, in some cases, lead to a more draconian approach being taken to SCA by a payer's PSPs than has necessarily happened in the past.
However, the impact of SCA that we have already outlined, including potential conversion drop offs, primarily falls on the shoulders of merchants.
Working with a PSP that is either prepared and proactive about SCA will be critical.
If you want to talk in more detail about SCA and the implications for your payments, we’d be happy to chat.
Updating your checkout flow
The process of complying with SCA means an extra step during the checkout flow. This will be the most obvious change your end customers will see. Depending on the payment method, this additional step may be very obvious or almost unnoticeable. For example, mobile payments already use fingerprint scanning or facial recognition to approve purchases, and these are acceptable ‘inherence’ authentication measures.
As we have already mentioned, SCA will primarily affect credit and debit card transactions. To update your checkout flows for card transactions, 3D Secure 2 (3DS2) - a widely supported method of compliant authentication has already been released.
3D Secure 2
3D Secure (3DS) is a method of authentication first deployed by Visa, made for credit and debit card purchases completed online. End customers are required to provide a password in order to complete the payment transaction. Online businesses typically gain access to 3D Secure through a relevant PSP.
3D Secure 2 (3DS2) is a new version that will meet SCA requirements by introducing authentication requirements e.g. requiring end customers to input a one-time password/passcode or provide biometric authorisation.
An even more recent version, 3D Secure 2.2, has now been released. The key difference between 2 and 2.2 is the ability for merchants to request exemptions through their acquirer and for delegated authentication to take place.
The key goal for 3DS2 is to create ‘frictionless authorisation’ even in the face of additional security checks required by SCA. If the transaction is deemed exempt, 3D Secure 2 should bypass these checks. One key improvement compared to the original 3D Secure (3DS) protocol is the ability to carry out the necessary checks without redirecting away from the checkout page.
Potential problems of 3D Secure 2
The original 3D Secure (3DS) was fraught with problems for merchants, including the dreaded conversion drop because of the aforementioned redirects and perceived poor user experience. A study by Ravelin found that 22% of all transactions authenticated using 3D Secure were lost.
While the new version has been designed to minimise the original’s drawbacks, including a better user experience designed for smartphone users, it will require a wider rollout to evaluate whether it has been successful.
3DS2 support and consumer recognition
3D secure 2’s success in managing SCA conversion concerns will hinge on its adoption by both banks and end customers. Despite the impending implementation of SCA, a number of banks have yet to start supporting the 3DS2 protocol.
As for end customers, usage of the original 3DS protocol has been limited in Europe.
Globally, an average of 16% of payments use 3DS2. Europe lags behind at 13% although there’s a higher authentication rate.
SCA Regulatory Technical Standards (RTS)
The Regulatory Technical Standards (RTS) of SCA set out the full specifications of exactly what SCA covers and what is expected of all stakeholders. The final version was completed and distributed by the EU Commission in November 2018.
Your customers and SCA
While SCA will undoubtedly have an impact on your business, it will also be a noticeable change for end customers trying to make purchases online. How do they feel about it? Do they even care about added security? Do they know the changes are coming? You can read an in-depth analysis of customer reactions to SCA here.
Consumer awareness of SCA
Banks have begun to communicate SCA to businesses, but have yet to really communicate the changes to the end consumer.
Balancing security and convenience
Regardless of awareness, will end customers be willing to lose some of the convenience of online shopping to accommodate the more extensive security checks of SCA? After all, Amazon’s 1-click ordering system was the convenient process that all other checkouts are compared to.
In a study of 4,000 customers across the UK, France, Germany and Spain were asked about their attitudes to both security and convenience when shopping online.
The survey also asked them questions on feelings about certain specific elements of the new SCA requirements, and how increased security at checkout would influence their buying behaviour.
The results uncovered a slight preference for security over conversion, with 58% of shoppers prioritising security.
However, when asked how they would feel if faced with complex security procedures when shopping only, the majority (54%) said they would feel either suspicious or frustrated. Only 39% said they would feel safer.
The survey also showed that attitudes to security and actual buying behaviour may be very different. 41% of those surveyed had previously abandoned an online purchase that was too complex, and nearly a quarter (24%) would go as far as to shop less with their favourite brand if the purchase involved added security measures.
This dissonance in attitudes suggests that what end customers think and how they act are different. They may react positively to the idea of added security, but their actual behaviour, when confronted with SCA, could be very different.
Communicating SCA to your end customers
In the wake of 2018’s GDPR legislation, many end customers saw a barrage of emails from companies informing them of changes to privacy policies. The combined effect was poorly received by end customers and many of the emails were even illegal under GDPR.
The point here is that communicating any major changes to your end customers is fraught with its own set of problems. If you don’t communicate these changes, will they be confused when changes do take effect? If you do communicate SCA, will this create unnecessary concern? It’s also very difficult to communicate the exact nature of any changes when you’re still in the process of implementing new checkout flows and authorisation processes.