• Paul Adams, Head of Acquiring at Barclaycard Payments


• 19.10.2021 06:15 pm
#Authentication #Transaction #Payment

From 14 March 2022, Strong Customer Authentication (SCA) will become a mandatory requirement for online payments in the UK, meaning that consumers will no longer be able to check out using just their credit or debit card details. Instead, they will need to provide an additional form of identification, such as a PIN code, a fingerprint or a passcode sent to their mobile phone. 

It’s vital not to think about SCA as something that will be switched on overnight on 14 March – in fact, SCA has already started. Since June this year, credit and debit card issuers started ramping up their use of the new authentication controls, to test and learn how consumers respond to the new process. In addition, they are obligated to gradually decline non-compliant transactions leading up to March. Therefore, while merchants absolutely need to be ready before 14 March, the sooner they prepare for SCA to become the new normal, the better they can protect their businesses.  

UK businesses have also been gifted with two opportunities to give themselves the best chance of being ready on time. The first is that the original deadline for full roll-out was extended due to Covid-19, giving businesses extra valuable preparation time. The second is that the change has already come into effect in the European Economic Area (EEA), allowing the UK to benefit by witnessing how their counterparts in mainland Europe have adapted. 

So, what steps should businesses be taking, and what can we learn from the European rollout?  

1. Start using an upgraded version of 3D Secure (or “3DS”), but use it wisely

Firstly, if they haven’t already, merchants need to upgrade to at least version 2.1 of 3DS – the technology used to allow banks to authenticate customers when shopping online with credit or debit cards. The latest version offers significant improvements over the legacy version, as it’s designed to be easy to use by those shopping on a mobile device, such as a phone app or tablet. It also allows the card issuer to, over time, collect more accurate data and prevent fraud more effectively, streamlining the payment process.   

However, by design, two-factor authentication adds friction into the customer journey. Automatically routing all transactions through 3DS may therefore result in higher basket abandonment rates and fewer purchases.

Our advice is to use 3DS selectively, only for those transactions which require it, such as those with higher fraud risks. Some payment providers can help merchants distinguish between the transactions that do and don’t require two-factor authentication (see below), in order to reduce unnecessary friction.

Upgrade to 3D Secure is a complex change and it’s not something that can be left until the last minute. 

2. Take advantage of SCA exemptions

The regulators recognise that certain types of low-risk transactions should be able to benefit from a low friction experience. They are exempt from two-factor authentication. Businesses need a clear strategy to take advantage of these “exemptions” wherever possible. By routing only the necessary transactions for additional authentication, businesses can optimise the payment experience for customers, while maintaining an effective fraud prevention for higher-risk transactions. In order to do that, merchants need to be clear on which exemptions they ought to use, and work with their Acquirer and gateway partners to deliver them. 

Lack of clarity about the approved exemptions have led many European merchants to take an overly cautious approach, resulting in many transactions being routed through SCA authentication conservatively, and adding unnecessary friction to the customer journey.  

To help businesses to not only be ready, but also to optimise changes that have neem initiated by SCA, Barclaycard Payments launched Barclaycard Transact, a suite of tools designed to improve payment acceptance and protect merchants from fraud. Transact was delivered by Barclays Cubed, a next-generation commerce platform that uses sophisticated digital and data technology to enable secure, frictionless and seamless interactions between the bank’s millions of digitally-engaged customers and thousands of SME and corporate clients.

3. Flag transactions correctly

Merchants should not assume ‘out-of-scope’ transactions, such as Mail Order Telephone Order (MOTO) and Merchant Initiated Transactions (MIT), would remain unchanged. There have been an array of schemes and mandates introduced by the likes of Visa and Mastercard to facilitate compliance. Some are not so straightforward. Unless they are signposted correctly, credit or debit card issuers may misinterpret them to require SCA authentication, which could result in the transaction being unnecessarily declined. Top UK banks expressed that incorrect ‘out of scope’ indication is estimated to be their leading cause for declines if merchants do not take corrective actions urgently. Merchants need to work with their payments providers to ensure that their transactions are signposted appropriately, to ensure an effective strategy for adapting to the new SCA requirements.

As credit and debit card issuers continue to ramp up their SCA activity ahead of the deadline for full roll-out in March, merchants need to take every opportunity to prepare themselves, or they’ll risk damaging both their customer experience, and their bottom line through lost revenue. SCA should be a business-critical priority for eCommerce – those who underestimated the complexity of these preparations will not thank themselves in March!