Customer authentication has become critical as more and more of the world’s economy moves online, with digital banking, eCommerce and other web-based transactions forming an ever-larger share of the global money flow. The United States Census Bureau found that eCommerce, for example, had risen to 16 percent of total retail sales in Q2 2020, up from just 0.6 percent in 1999. This share is expected only to grow further in the wake of the pandemic, and each digital transaction must be authenticated and secured, lest fraudsters swindle merchants and customers out of their money and data.
Securing these transactions using customer verification and authentication is a high priority for governments as they work to protect their citizens and economies from fraudsters. One such example is the European Union’s Strong Customer Authentication (SCA) requirement, which went into effect this year and aims to ensure that merchants, payment providers and other entities are using robust customer authentication measures. Meeting the regulation’s standards is easier said than done, however, and businesses must confront several obstacles to ensure that they are in compliance.
The following Deep Dive explores the fraud threats that led to the institution of SCA, the measures necessary to satisfy its requirements and the challenges businesses must meet to ensure compliance.
How Fraud Forced The EU’s Hand
Untenable increases in payment fraud over the past decade have led to SCA’s implementation, with global losses more than tripling from $9.8 billion in 2011 to $32.4 billion last year. Many of these fraud instances occur when bad actors steal customers’ identities or invent fake ones, with the latter practice — synthetic identity fraud — being notoriously difficult to catch because there is no victim reporting a stolen identity. These issues appear to be pervasive too, as more than half of all Europeans are concerned about their identities or personal data being stolen or misused by cybercriminals. Twenty-four percent fear that their bank account or payment card details will be hijacked.
The risk of identity fraud has grown more pronounced over the past year due to the pandemic as well as surges in online and card-not-present (CNP) transactions as consumers shop from home more frequently. PYMNTS’ research revealed that more than 72 percent of consumers now use credit cards when they shop online, but this activity can also open them up to various fraud types, including identity theft or phishing. Experts predict that payment fraud losses could hit $40.6 billion by 2027, for example, a 25 percent increase over 2020.
This well-founded fear of fraud has forced the EU to step up its authentication standards for merchants, financial institutions (FIs) and other payments companies. Some businesses are finding these new measures particularly difficult to meet, however.
How Merchants Can Respond To SCA’s Game-Changing Nature
SCA requires most merchants, card issuers, banks and other players in the financial and retail spaces to require two-factor authentication (2FA) for purchases over a certain amount. Transactions of less than €30 (approximately $36) are typically exempt, but authentication can be required for low-value transactions if a customer makes five or more that exceed a total value of €150 (approximately $179) within a short time frame. This authentication can involve two of the following: a password, a code sent to a customer’s smartphone or a biometric, like a fingerprint.
This new authentication requirement may be effective in reducing fraud rates, but not all verifications are created equal. Biometrics can be fast and seamless, but many companies are largely relying on either passwords or text codes due to their banks’ or payment providers’ limitations, both of which can result in friction-filled customer experiences. A customer might have a weak cellphone signal at the checkout counter, for instance, or an online purchase might require a physical card reader that a customer does not have handy.
Encouraging more widespread adoption of seamless authentication methods like biometrics could be accomplished using delegated authentication, a facet of SCA that allows merchants to take customer verification into their own hands rather than relying on their banks’ existing protocols. This means that merchants can not only independently explore verification options like biometrics but also organically fold these options into their point-of-purchase operations and potentially boost sales.
Delegated authentication can also confer other benefits on merchants and issuers, as kicking verification to the latter often adds an extra step into the checkout process for customers, thus creating friction that could result in cart abandonment. Keeping SCA responsibilities in-house prevents merchants from routing customers to issuers’ domains, giving retailers more control over the experience and sparing issuers from taking on the task.
SCA is here to stay in Europe despite the challenges it brings for retailers, eCommerce marketplaces and other merchants. Delegated authentication could offer one way for merchants as well as their issuers and acquirers to mitigate these obstacles and even thrive within the new authentication paradigm.