Building an SCA exemption strategy that still protects against fraud
By now, businesses across Europe — and many beyond — are familiar with Strong Customer Authentication (SCA). The protocol, introduced to help combat rising online fraud, has been successful. EU member states have seen issuer fraud rates have dropped by 50% while acquirer fraud levels dropped 40% both between December 2020 and April 2021.
And, with card-not-present fraud cost ecommerce businesses an estimated $33.5 billion globally, it is more important than ever to consider fraud-fighting protocols and how they can address fraud rates.
Your business will need to be active in implementing up-to-date protocols. But, any long-term growth strategy will have to consider their customer’s experience at the checkout or risk losing sales.
So, 12 months on from the PSD2 SCA mandate coming into force in Europe, how can you use SCA exemptions to optimize conversion and authorization rates, yet also reduce fraud.
What are SCA exemptions?
Not every transaction requires SCA. Under PSD2, transactions that are considered to be low-risk don't have to be authenticated. As many as 40-50% of ecommerce transactions by volume could be exempt from SCA if certain criteria are met, according to Visa Europe estimates.
The four main exemptions for ecommerce businesses are
- Transaction Risk Analysis (TRA): When transactions are considered to have a low fraud risk based on the average fraud level of the payment provider and bank processing the transaction.
- Low-value transactions: For payments less than €30, up to a maximum of five transactions or a cumulative limit of €100 since the cardholder's last successful authentication.
- Trusted beneficiaries: When customers add sellers to a list of trusted beneficiaries held by their issuer. Sometimes known as ‘white listing’, this exemption is useful for regular customers as SCA is only required for the first transaction to set up the exemption.
- Secure corporate payments: Those initiated through secure corporate systems and processes, such as centralized travel management systems, lodge and virtual cards.
Considerations for an SCA exemption strategy
When it comes to applying exemptions, you should design your strategy specifically for your business needs. You need to consider your customer base, the goods or services being sold, the industry you’re in and your business’s risk appetite.
For example, if a transaction is low risk and within the risk appetite of your business, you may want to signal to the issuer that you have performed Transaction Risk Analysis (TRA). The latest version of the 3-D Secure protocol, 3DS 2.2 supports a frictionless flow, allowing transactions to be authorized to reduce the chance of a soft decline from the issuer.
On the other hand, if you sell big-ticket items or have higher-than-average transaction values, you may decide not to apply exemptions. That way, the issuer always authenticates their customer and you benefit from the 3DS liability shift in the event of a fraudulent transaction.
There’s no one right way to balance minimizing fraud losses, optimizing the customer experience and maximizing revenue. Devising an exemption strategy should be done by looking at your data. And you will need to continuously test and analyze the results.
Ask questions like
- What has been the impact of SCA across my customer journeys?
- What level of fraud do I experience?
- How many chargebacks do I get each month?
Exemptions and the bigger picture
Consider exemptions in the context of a wider SCA strategy. This includes transactions that are out of scope for SCA, such as merchant-initiated recurring transactions like subscriptions after the first payment. And country-specific approaches, which reflect issuer SCA readiness and may change over time.
For example, the deadline for enforcement of the SCA mandate in the UK has passed. UK issuers must now soft decline ecommerce transactions that have not had SCA applied and are not correctly flagged as either out of scope or exempt.
UK issuers are ramping up their SCA deployment. To prevent soft declines from turning into hard declines and possible lost sales, ensure you and your payment provider support at least version 2.1 of EMV 3DS. This enables step-up authentication following a soft decline. Merchants will need to be ready to handle soft declines by retrying a soft decline with 3DS2 within 15mins to not lose revenue.
Meanwhile, in the rest of Europe, SCA has been enforced for some time and businesses will need to refine and improve how they are approaching SCA. Armed with data, they are in a good position to finetune their exemption strategies.
Key take away
- Issuer readiness in different countries will change over time — localize your strategy.
- Merchants need to be ready to retry soft declines to avoid losing revenue.
Leverage your investment
Lastly, keep up to date with industry developments and SCA rollouts in your key and target markets. This allows you to refine your SCA strategy for optimization rather than just compliance. Any strategy is only as good as its implementation, which should be adapted based on use cases and experience, especially as fraud is dynamic.
Longer-term, 3DS 2.2 may enable your business to leverage its investment in fraud and risk management tools. 3DS 2.2 supports delegated authentication, where issuers allow a third party to perform authentication on their behalf. If your customers already authenticate themselves to use your app or digital wallet service, this information could be passed to the card issuer. This removes the need for separate payment authentication giving, hopefully, a better customer experience.
3DS 2.2 also supports decoupled authentication, where customers authenticate outside the main authentication flow, for example, with a push notification or an email. Which makes it ideal if customers are offline. Or shopping on one device but using another, say their smartphone, to complete SCA authentication.
Key take away:
- Fraud is dynamic, keep adapting your strategy to keep up.
- Keep up with industry developments in order to optimize your SCA strategy.
Putting you in control
Exemptions are an important part of a merchant’s SCA strategy as they reduce friction at the checkout. However, they should be used as part of a wider strategy that will consider the fraud profile of the merchant.
Ecommerce fraud is increasing and this trend will continue in 2022. Merchants need to implement exemptions at the right time and in the right places to keep fraud at bay and chargebacks to a minimum.
To find out more about authentication and exemptions, read our guide.
Download our guide to find out more.