Strong Customer Authentication
Jackie Long

Explaining strong customer authentication

Get to know the 5 W’s of SCA and how you can prepare for it in this quick read.

Most businesses have probably heard about PSD2 and Strong Customer Authentication (SCA). Any companies that sell goods online should especially be paying attention. The goal of these requirements is to reduce fraud for card-not-present transactions, but there seems to be disagreement about what the effects of the changes will be. So, let’s talk about SCA and discuss what we know about it.

What is it?

SCA is a method of verifying a customer using something they know, something they have, or something they are. This new directive requires companies to ensure that customers provide at least 2 of the 3 identification methods.

For example, a customer can verify their identity using a fingerprint on their mobile device (something they are and something they have). Or they can use a computer with a token along with a pin (something they have and something they know). Or they can use another combination to reach the same result.

Why is it?

The intent of SCA is to protect both European Union consumers and banks by reducing the number of fraudulent purchases online. Card-not-present fraud has risen significantly in recent years, thanks in part to data breaches that have released a vast amount of financial data . The goal of SCA is to create a system with stronger verification and additional fraud prevention tools to combat this issue.

When is it?

The requirement for SCA is effective as of September 14, 2019. Companies need to ensure that any transactions after that date will utilize SCA if they go through an EU bank and/or involve an EU citizen.

Where is it?

It will be enforced for both EU citizens and customers as long as they are within the boundaries of the EU when the transaction takes place. All transactions going through EU banks and payment providers will also be subject to these rules. Companies that operate in other countries will not need to comply unless the transaction matches these circumstances.

Who is it?

Compliance is required for any company that does business in the EU, serves EU customers, or transacts with EU banks. Most of its implementation will fall on payment providers. However, ecommerce companies may be the ones impacted the most by the legislation.

How can your business prepare for SCA?

First, talk to your payment service provider (PSP). If you have customers in the EU or that use EU banks, you’ll need to ensure that your PSP will be compliant with the new rules. Ask questions about exemptions and find out what their workflow is. Whether they plan to use 3D Secure 2.0 or some other authentication system, you’ll want to familiarize yourself with the process and understand how it will affect your customers.

Keep your customers informed. If this will lengthen your checkout process, let customers know in advance and explain that this is for their protection. The more transparent you are with your customers, the more likely they are to trust you and keep coming back.

Find other ways to reduce your overall susceptibility to fraud. While this process is only required in the EU, your PSP may implement stronger authentication requirements all around the globe. By ensuring that you have a low fraud threshold overall, you can qualify for more exemptions and keep you and your customers protected.

Results from SCA will not be seen for a while, but it is probable that introducing this kind of friction to the conversion funnel will initially reduce the percentage of online transactions that are fully completed. However, the right implementation and communication could make this a better experience for your customers. The key is to balance fraud protection with an overall streamlined process. Examine your end-to-end funnel to see where friction can be reduced elsewhere to help make this a smooth transition for your business.

More From NS8
Playbook for Order Rules
7 order rules you should be using

Order rules allow you to automate all or part of your fraud prevention strategy. While some will be specific to your industry and risk factors, here are seven order rules any company can use.