Global e-commerce can be tough, particularly when merchants need to keep pace with continually evolving rules and regulations. Take, for example, Europe’s new Strong Customer Authentication (SCA) rules that were approved in March 2018 as part of the second Payment Services Directive (PSD2) and originally scheduled to take effect September 14, 2019.
These rules outline new requirements in Europe for authenticating online payments, with a straightforward goal: to reduce e-commerce fraud and increase the security of online transactions by requiring strong customer authentication for transactions of more than €30.
However, although SCA was originally intended to go into effect on September 14, 2019, the implementation will now be phased in over the next 18 months. And that’s not necessarily a good thing.
Although merchants may think they now have ample time to develop a strategy to comply with SCA, in fact, the delay may actually increase the risk for fraud.
Here’s what every merchant needs to understand about the new SCA rules.
SCA aims to improve e-commerce security by requiring checkout processes include at least two of these authentication factors:
To ensure the security of SCA, the European Banking Authority has established regulatory technical standards (RTS) that require each element of SCA to be independent of the other. This means that even if one element of an SCA transaction is compromised, the other elements will still be secure.
Additionally, each transaction authentication code is dynamically linked to both a transaction amount and payee. If either is changed, the authentication code is invalidated.
The RTS also sets minimum requirements for the interface between banks and third-party service providers to increase the security around accessing account information.
All contactless in-person card payments and customer-initiated online payments — including credit card payments and bank transfers — will be subject to SCA rules when both the business and the cardholder’s bank are located in the European Economic Area. Once SCA goes into effect, banks will begin declining payments that require SCA but don’t provide these two authentication factors.
As the September 14 implementation date drew near, it became clear that many retailers had not yet established the necessary procedures to comply with SCA — and the European Banking Authority was concerned this would create large-scale issues with payment processing. In fact, Andrew Cregan, the payments policy advisor for the British Retail Consortium, estimated that up to 30% of e-commerce transactions made after September 14 would likely fail.
The scope of the problem was enormous: The EU stood to lose an estimated €57 billion (US $63.9 billion) in purchase volume in just the first year alone, due to noncompliance.
As a result, in August 2019, the Financial Conduct Authority announced they would delay the implementation of SCA by 18 months. The new phased implementation of SCA is expected to help minimize disruption in online transactions while also ensuring all players in the payment chain have the time and resources to implement the technical fixes needed.
While e-commerce merchants might breathe a sigh of relief at the prospect of being able to delay the SCA implementation, fraudsters are likely ready to take advantage of the delay and continue their sophisticated schemes.
These fraudsters have an uncanny knack for identifying and leveraging vulnerabilities in the e-commerce payment chain, and the 18-month delay of SCA provides the perfect opportunity to step up their efforts to take advantage of known weak spots in the online checkout process.
E-commerce fraud activity is on the rise — fraud rings increased 26% between 2018 and 2019 — which means it’s never been more important for online businesses to improve their fraud prevention strategies at all stages of the customer buying journey. The SCA delay gives merchants the time needed to upgrade the checkout process and ensure they are meeting all new standards ahead of the new deadlines.
As merchants strive to comply with SCA, they must remember that not all fraud prevention methods are created equal.
For example, although one-time-use SMS passcodes are frequently used as an authentication method, these SMS messages are quite easily hacked by fraudsters.
Merchants must also understand that certain transactions are exempt from SCA, including direct debits, recurring payments where the first payment for the same amount and payee was authenticated through SCA, and transactions in which the payee is included in a list of trusted beneficiaries.
Just because SCA implementation has been postponed, merchants shouldn’t become complacent. Any business selling in Europe — and any business concerned about fraud and payment security overall — should proactively be looking for a fraud prevention solution capable of managing the unique risks of international sales, to pick up on even the most subtle indicators of fraud.
The experts at ClearSale do just that and more. With nearly 20 years of experience, ClearSale understands e-commerce fraud as few others can. Contact us today, and let us share our vision for e-commerce via our flexible solution that will protect your business in the ever-changing battle against fraud.