The deadline for compliance with the revised Payment Services Directive (PSD2) Strong Customer Authentication (SCA) mandate passed earlier this year, marking the start of a new era for payments authentication in Europe. All electronic payments — with the exception of certain low-value transactions — now require multifactor authentication (MFA) via the use of passwords, text-based codes or biometrics, and merchants and payment providers are still working to grasp the full scope of this new standard.
These new authentication measures are intended to counter evolving fraud threats, but they have introduced a layer of complication into everyday electronic payments. Balancing SCA requirements with seamless customer experiences has been a battle for businesses of all sizes, as friction-induced customer abandonment could counteract any potential benefits from mitigating fraud losses.
“Customer friction with authentication is one of the biggest complaints that we hear from merchants, banks and cardholders about SCA,” Nicole Jass, senior vice president of product at FIS, said in a recent interview with PYMNTS. “Anytime you introduce any level of friction in the checkout flow, there is concern around customer abandonment.”
SCA’s implementation may be well-intentioned, but merchants and payments providers have struggled to see the mandate’s value. Many have been turning to delegated authentication to help them seamlessly and securely handle this new requirement without frustrating customers.
The Ups And Downs Of SCA
SCA is meant to combat the dizzying array of schemes used to wage payments fraud, many of which entail bad actors exploiting unforeseen authentication system weaknesses to pose as legitimate users. Fraudsters can even be inadvertently grandfathered into new payment systems if they have managed to bypass security measures before such systems are put in place, Jass said.
“One of the biggest problems we ran into was that fraudsters would actually go and enroll the stolen credit card in [our payments authentication system],” she explained. “Fast-forward three or four years, where we have moved to automatic cardholder enrollment and risk-based monitoring, [and] we still see examples where the fraudster is able to take advantage of customer authentication tools through social engineering, [Internet Protocol address] spoofing and other account takeover tactics.”
A blanket MFA requirement such as SCA is designed to make each user play by the same rules without allowing fraudsters to sneak by on exceptions, but these one-size-fits-all regulations can come at a high price: customer convenience.
“The rules and regulations set forth by PSD2 are complex and require constant diligence to ensure full SCA compliance is met,” Jass said. “Merchants are trying to control the checkout experience as best they can in an effort [to] reduce cardholder abandonment.”
SCA regulations do permit merchants to take advantage of delegated authentication methods to control their checkout experiences and reduce customer friction. Many retailers that decide to take SCA compliance into their own hands are quickly shifting from leveraging traditional MFA methods like passwords to incorporating more seamless options like biometrics.
Delegated Authentication Strikes A Balance
Delegated authentication allows merchants to tackle user authentication themselves rather than rely on their payment providers’ verification methods. This enables them to better tailor their authentication methods to their customers’ preferences, thereby keeping friction to a minimum. Jass said biometric options are a particular favorite for merchants.
“Delegated authentication can be a great solution for [clients] looking to create that seamless approach to authentication,” she said. “With our authentication tools, we are helping our clients facilitate delegated authentication through the various mobile wallets, which then allows the merchant to take advantage of the biometrics that are available via the mobile wallet.”
Delegated authentication’s continued success does require some buy-in from issuing banks, Jass noted. Too much fraud could result in banks suspending their delegated authentication services, sending merchants back to square one when it comes to reducing customer friction.
“If issuing banks start to see an increase in fraud associated with delegated authentication transactions, they can easily opt out of the delegated authentication program, which will reduce merchants’ opportunities to offer superior authentication experiences,” she explained. “Issuers who are subjected to higher rates of fraud can be subject to penalties and fines by the national PSD2 regulators and even risk losing their banking licenses if the proper steps are not taken to ensure fraud is kept under control.”
It is therefore incumbent on merchants to make certain that their delegated authentication programs keep fraud in check. Failure to do so could see them relinquish their authentication control to issuers, which could ultimately cost them customers.