31 Mar How Strong Customer Authentication works

The quote, “Events, dear boy, events,” often attributed to former British Prime Minister Harold MacMillan when asked to define the greatest challenge a leader, industry or organisation may face, encapsulates the situation businesses and the financial sector found themselves facing 2 years ago.

The rapid acceleration towards card, contactless and online payments because of the Covid-19 pandemic heightened the opportunity for online fraud with criminals adapting their methods to take advantage of the jump in remote working, as well as exploiting the jump in increased online shopping.

Criminals’ exploitation of the unprecedented situation reflects the the necessity of Strong Customer Authentication (SCA) – requiring multi-factor authentication – for both customer and merchant and ensuring the implementation of 3D Secure is a key way for merchants to comply with the SCA requirements.

We look at its history and how it works to protect your business and customers.

3D Secure (3DS)

The purpose of 3D Secure 1.0

Developed at the end of the 90s and implemented over the following decade, 3DS’s purpose was to limit card not present transactions as e-commerce grew more popular by adding an extra layer of protection to transactions with the cardholder being directed to a new webpage to complete an authentication challenge with a passcode or password.

Since the authentication step took place on a separate webpage, merchants did not collect cardholders’ 3DS passwords and liability for authenticating transactions was the responsibility of the card-issuing bank.

Limitations of 3D Secure 1.0

However, 3D-Secure had a number of limitations leading to a modest uptake and significant cart abandonment issues.

The additional authentication steps, necessity to remember additional passwords and redirect away from the merchant’s website impacted the online shoppers.

As well as this, the banking and financial sector has changed significantly since 3D-S was initially developed. Mobile commerce was non-existent when 3D-S was designed for desktop based web browsers – over 87% of UK adults now own a smartphone – and the arrival of new online payment options has revolutionised the industry and how we make transactions.

Given these drawbacks, technological advancements and limited uptake, 3D-Secure 2.0 was developed to address these issues.

3-D Secure 2.0

The development of 3.D-Secure 2.0 creates an improved user experience by eliminating the webpage redirect issue, offers better authentication processes with far more data points verifying transactions and can be supported on all kind of devices, as well as being integrated with mobile wallets.

Merchant support of 3DS should ensures readiness for online transactions and avoid/ reduce declines after Strong Customer Authentication (SCA) is implemented.

Strong Customer Authentication (SCA)

To increase the security of electronic payments, Strong Customer Authentication (SCA) ensures that electronic payments are performed with multi-factor authentication.

Strong Customer Authentication in action

It requires cardholder data from at least two of the following categories to be provided during the authentication process:

Exemptions and risk-based authentication

Depending on the risk, amount and channel, SCA exemptions may be applied by acquirers and banks to balance fraud reduction with frictionless online shopping experiences.

Exemptions on payments under €30 allows payment providers to avoid applying SCA for online payments under that value up to a certain cumulative limit. Low risk transactions, recurring payments and white listed merchants can also be exempt from the SCA challenge.

It is important to note that whoever requests the SCA exemption bears the fraud liability risk.

You can find more on this and exemptions on our SCA FAQ page.

Risk based authentication also allows the issuing bank to decide whether to approve the transaction depending on the data and information it has by considering:

• The cost of the transaction.
• Whether the customer has purchased from the merchant before.
• The customer’s transaction history.
• The customer’s behavioral history.
• Information about the customer’s device.

The transaction may therefore be approved without the SCA challenge if there is enough information to verify the transaction.

Merchants and customers to feel the benefits of SCA

While, as with any new technology and systems, it may take time for merchants and customers to become familiar with the SCA process, it will enable a better customer experience across all payment device and channels.

SCA will lead to:

• increased consumer confidence in e-Commerce environments and encourage greater numbers to buy online
• a reduction in fraud and chargebacks and fraud-related liability protection for merchants when SCA is applied to a transaction.
• improved user experience with better data flow and use of exemptions allowing for potentially less authentication challenges resulting in reduced cart abandonment rates.