Purpose

The European Union will adopt Strong Customer Authentication ( SCA ) for multi-factor authentication to help prevent online fraud and unauthorized access to consumers' accounts, ensuring that only consumers can make purchases using their own payment credentials.

Authentication Type

1. Something you (the customer) know, such as a password or PIN number (note that this does not include payment card information).

2. Things you own, such as smartphones or wearable devices.

3. What kind of person you are, such as fingerprint biometrics or facial scan.

Transactions that do not meet these requirements will be rejected unless the transaction qualifies for an exemption from certification.

Exemptions

1. Transactions initiated by merchants

This includes repeated purchases of the same amount from the same merchant, such as gym memberships and digital service subscriptions. An important caveat is that SCA certification is required for the first payment to the merchant. At this point, subscription services that are billed on a per-unit basis (such as subscriptions that incur varying amounts each month, an example being a utility bill) and various other types of “off-site” payments (such as crowdfunding) would not fall under this exemption.

2. Low transaction amount

Purchases under 30€ are not subject to SCA . However, once 5 transactions under 30 € have been completed or the total value of these transactions reaches 100 €, SCA validation will be required . At this point, the "Transaction Count" will be reset after SCA validation.

3. Trustworthy beneficiaries

Under this exemption, cardholders can ask their card issuer to “whitelist” a merchant so that future transactions do not require SCA to be applied . It is the card issuer’s responsibility to manage the whitelist for each cardholder. This exemption warrants careful consideration by merchants and their payment partners to ensure their frequent customers have the best payment experience possible.

Merchants, especially those that rely on card -on-file transactions, should work closely with payment partners to simplify the process for customers to add them to their whitelists.

4. Transaction Risk Analysis (TRA)

TRA is perhaps the most important exemption because it allows merchants to avoid SCA requirements if the merchant’s payment providers’ aggregate fraud rate (ie, the total fraud rate for all providers’ customers) is below a certain threshold .

For transactions under €100, the fraud threshold is 0.13% , for transactions between € 100 and € 250 it is 0.06% , and for transactions between € 250 and € 500 it is 0.01% . If a payment provider's fraud rates are below these thresholds, real-time risk analysis can be applied to the transactions to assess whether SCA certification should be applied.

5. Ensure corporate card payment security

Transactions made through a corporate card will not be subject to SCA if the corporate card is "on deposit" (for example, a travel agency that books airline tickets for its employees) or uses a virtual card number to make transactions .

It is important to note that applying the exemption is optional. The card issuer will be liable for fraud in all transactions that apply SCA, but when the exemption is included as part of EMV 3DS , the fraud liability will be borne by the payment provider (usually, ultimately the merchant) rather than the card issuer.

In addition, card issuers can make the final decision on whether to support and accept the exemption. Some foreign media predict that it is unlikely that all issuers will be ready to support every exemption before September 14 .

Influence

The new SCA regulations are of great significance to cross-border sellers and local European sellers. What is most directly related to sellers is that they affect buyers' payment experience.

That is, by introducing an extra step to complete a purchase, it adds barriers to successful purchases. While cart abandonment and reduced conversion rates are legitimate concerns, on the other hand, if SCA works as intended, it could potentially increase authorization rates while reducing fraud losses.

References