Many merchants both within and outside of Europe are concerned with meeting Strong Consumer Authentication (SCA) requirements and how this might impact sales when nearly every eCommerce order over €30 will require two-factor authentication. A lesser known fact is that this order value threshold for requiring SCA increases in multiple tiers based on the fraud rates of both the acquiring and card issuing banks facilitating the transaction, suddenly making the fraud rates of a merchant’s European processors much more important.
Enforcement of SCA mandates under the second Payment Services Directive (PSD2) was pushed back until the end of 2020, and could be delayed further. Regardless, it is prudent for merchants to get ahead of these requirements and consider strategic changes to make in its anticipation.
These SCA mandates require two-factor authentication for most eCommerce orders over €30 with exceptions for recurring billings of the same amount and “one leg out” transactions, which refer to either the card issuer or the processor being outside of the European Economic Area or UK. 3-D Secure 2.0 meets these two-factor authentication requirements for payment card transactions, but merchants will still need to employ 2FA for bank account based and other alternative payment methods.
Many merchants outside of Europe are reaching consumers in the EU and UK through an acquirer or PSP based in Europe, and are therefore subject to SCA mandates. While 3-DS 2.0 satisfies these requirements for payment card transactions and causes considerably less friction than the original 3-DS protocol thanks to passive authentication and more mobile-friendly authentication mechanisms, many merchants are still unsure how a mass increase in use of 3-D Secure programs will impact sales.
One way to reduce this compliance burden and the frequency of using 3-D Secure is to process payments through an acquirer with a lower fraud rate. While €30 is the general threshold for requiring SCA, when both the card issuing bank and the processor have lower fraud rates, this threshold increases. This falls under what is known as the Transaction Risk Analysis (TRA) exemption. When both parties have fraud rates at or below the following limits, the order value thresholds that require SCA increase.
At or below fraud rates of 13 basis points (0.13%), SCA is not required on orders less than €100
At or below fraud rates of 6 basis points (0.06%), SCA is not required on orders less than €250
At or below fraud rates of 1 basis points (0.01%), SCA is not required on orders less than €500
Customers will use payment cards issued by many different banks, but merchants should focus on the aspects they can control. In this case that means processing through acquirers that can maintain fraud rates below these key thresholds in order to allow more of a merchant’s orders to circumvent SCA requirements. While traditionally merchants have only been concerned with their own fraud rates and not that of their acquirers across all merchant clients they underwrite, soon there will be benefits of having a processor that can keep fraud rates low across the board.
There are many considerations around implementation and meeting compliance requirements related to 3-D Secure and SCA. While this article only scratches the surface, The Fraud Practice’s professional online training course titled Understanding 3-D Secure, SCA and 3-DS 2.0 goes in to much greater detail.