• Miriam Zriniova, Authentication and Fraud Product Manager at Worldline


• 08.03.2022 02:45 pm
#Authentication #Fraud , Miriam joined the company in 2014 and has over 14 years of experience in the payments industry. Previously, she worked in the retail sector as a crime and shrinkage analyst for Argos. She is currently responsible for delivering Worldline’s 3DS v2 and fraud management solutions. By defining the strategy, analysing the marketplace and managing the timely execution of Go To Market plans, Miriam succeeded in reducing the fraud rates for all Worldline’s merchants. When she is not fighting against online fraudsters, you’ll find Miriam playing handball in the Belgian league and fostering kittens in need.

The UK is the last country in Europe to adopt Strong Customer Authentication (SCA). The journey was long, with multiple extensions of the deadline, but we’re finally at a point where the UK can implement the rules. When successfully adopted, it will benefit both merchants and their customers with less fraud, fewer chargebacks, higher acceptance rates and an overall smoother checkout process for all parties involved.

First, some background information. In 2016, all European Union (EU) countries (including the UK, which was still part of the EU at the time) agreed to a directive known as Payment Services Directive 2 (PSD2). One of the most crucial elements of this directive was the need for SCA - multi-factor authentication for electronic payments. In short, to complete an online transaction, customers will need to authenticate with two of the following: pin or password, phone and fingerprint or facial recognition. 

SCA has already been implemented in Europe since January 2021. This means that UK businesses can learn from their European neighbours and successfully adopt the new directive before it begins to impact their sales. For example, we have seen that declined transactions increased by an average of 25%, usually because SCA wasn’t requested by the merchant. With that in mind, the final deadline in the UK is set on 14th March, so the time to act is now. 

From the enforcement day, every transaction that isn’t ‘flagged’ properly will be ‘soft declined’. This means that instead of completely rejecting the transaction, it will be temporarily declined until the merchant re-submits it with the information required. 

Learning from past experience

Fortunately, since European merchants implemented PSD2 for over a year, many of the problems with 3DSv1 (the main protocol used to perform SCA) have been ironed out.

The first version of 3D Secure, which was rolled out as far back as 2002, led to an increase in cart abandonment. Customers were unsure whether the window that popped up asking for personal details was authentic. This was also displaying incorrectly on mobile browsers which is particularly problematic when an increasing amount of eCommerce is taking place on mobile devices – estimated at 73% last year. 

All major card schemes announced that 3DS v1 will be decommissioned in October of 2022. Since 2019, merchants have been able to use a newer version, 3DS v2, and we would strongly advise UK-based merchants to implement it too. 

Using the new regulations to your advantage

The second version comes with a major update to the 3DS protocol that incorporates the feedback from merchants and issuers on the first version. It allows merchants to send multiple parameters to issuing banks which will lead to an improved shopping experience for the customer. 

One of the most significant updates is ‘Frictionless Flow’, a new system that aims to make payments much quicker and easier. By determining the risk of a transaction (its value, whether the customer is new, if they are making an order from a new device or sending it to a new address), the system can allow customers to bypass SCA. This significantly improves the shopping experience without compromising on safety and security. 

In most cases, when the cardholder disputes a charge on their card (on the basis that it is fraudulent), merchants must refund the loss. When 3DS v2 is applied, merchants are shifting the liability for fraudulent transactions to the issuing bank unless an acquirer exemption is applied. 

In addition, sellers can customise the SCA challenge flow to avoid the pop-ups and redirects that caused shopping cart abandonment in 3DS v1. Being better optimised for mobile devices, it allows for ‘non-payment authentication’, where a customer’s eWallet can handle authentication through a fingerprint or facial scan.

Finally, merchants can also flag transactions to acquirers that require an exemption from SCA. If the total amount is £25 or lower, it can be exempted and merchants can agree their own rules with acquirers on what counts as a low-risk transaction. By putting in place an SCA strategy with exemptions, flags and additional data points sent to the issuing bank, online retailers will maximise their conversion rates and improve revenue.

Conclusion

As SCA is a mandatory requirement, all merchants will need to comply with the regulations. However, merchants can’t be expected to monitor every order to decide which ones require exemption. Although some companies are reluctant to make a major change to their payment process, such investment will be necessary sooner rather than later. Not to mention, merchants who made the switch are already experiencing lower declines and reduced fraud.