Authentication vs. Authorisation in the SCA era

By Shagun Varshney, Signifyd Senior Product Manager, Payment Optimisation, takes us through two different approaches to SCA, and what retailers can do to avoid the downsides of the new regulations.

Since its enforcement in the UK in March, Strong Customer Authentication (SCA), designed to protect consumers and reduce the number of fraudulent orders for merchants, comes with added complications when determining the most efficient and cost-effective way for retailers to process online orders.

Many of the questions and concerns surrounding the new SCA regulations have been about how the new consumer authentication regulation adds additional layers to transactions, causing friction and leading to lower conversions.

That’s not a trivial concern, however the positive effects of SCA shouldn’t be minimized. Moreover, merchants have the opportunity to eliminate the friction that SCA brings, which is good news The not so good news is that making those choices is a complicated matter.

The SCA impact on merchants

In the pre-SCA era, merchants didn’t worry about whether they should be seeking exemptions in the payment process and just how they’d best go about that. They were working in a world without exemptions. Optimisation was not a thing.

With SCA in place, the world has changed. 3D Secure, a protocol that facilitates authentication, has become the critical path to a successful transaction. But in the early going, 3D Secure has proven unsteady. Not all merchants, banks and payment processors are prepared and using the newest version of 3DS, a version that accommodates the exemption requests that are vital to a successful SCA strategy.

Now merchants need to understand whether the banks and processors they depend on are fully SCA-prepared or not. And if they are not, merchants need to be able to request SCA exemptions by processing orders along the authorization path.

In short: Today merchants need to be in the business of payment optimisation or live with the damage friction and cart abandonment cause their business.

How has SCA changed online shopping?

First, SCA calls on consumers to demonstrate that they are who they say they are. They can confirm their identity in two of three ways:

• Something they own (such as the device they used to buy).
• Something they know (such as a one-time passcode).
• Something they are (via biometrics, such as a fingerprint or retina scan).

The regulation also comes with a batch of exemptions. These exemptions and related exceptions, called exclusions, are generally available when an order meets certain criteria:

• The order is low-risk and low value.
• Both the merchant and its banks have kept fraud rates low and the transaction meets certain limits — order values below €100 or between €100 and €250 or €250 and €500 depending on how low the merchant and bank’s fraud rates are.
• The transaction is “out of scope.” These include phone or mail orders, prepaid card transactions and orders when the acquiring or issuing bank is outside of the European Economic Area.

Trusted beneficiary — if a consumer’s bank agrees to allow it. The trusted beneficiary exemption can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption.

Authentication or Authorisation?

Making this decision means knowing whether the banks that support an online purchase for the merchant and the customer’s card issuer are fully prepared for frictionless SCA. It also requires an understanding of SCA’s exemptions and the requirements for requesting an exemption to SCA. And it requires those insights for every individual order.

By understanding which payment flow — authentication or authorisation — best accommodates the transaction process for a given order, merchants can optimise the customer experience they provide, which increases conversions and the likelihood a consumer will return for a subsequent shopping trip.

Again, the backbone of authentication is 3D Secure. But, all 3D Secure is not the same. Older versions that have been in the market for years don’t allow merchants or banks to request exemptions. They always require a step-up, often requiring a shopper to click away from a merchant’s site to satisfy the authentication requirement. A newer version allows merchants and card-issuing banks to request exemptions. The newest version allows merchants, the merchant’s bank and card-issuing banks to request exemptions.

Unfortunately, a significant number of European banks have not yet upgraded to the newest form of 3D Secure, meaning consumers will face an authentication challenge when trying to buy, unless the merchant has requested an SCA exemption via the authorisation route.

The optimum strategy for merchants in the SCA era is to understand —through data — the history of transactions when it comes to individual banks and payment service providers. That way they know whether the authentication route will result in a friction-free approval — meaning 3D Secure along the payment processing path is fully optimised for requesting and accommodating exemptions. Or would the better route be to request exemptions through the authorization route?

All this means that merchants need to pay more attention to transaction data. They should get into the business of what is happening: Why was an order declined? What banks and payment processors were involved? They should be more demanding in asking for data from their banks and their payment service providers. They should ask for data and reports that show what orders are being declined and why. And they should consider working with partners who can readily marshal that kind of data and provide instant insights into the question: authentication or authorisation.

After all, optimising transaction flow is more important than ever in the SCA era. And you can only make an intelligent choice if you have the proper data to guide you.