SCA: How do M&S and Microsoft balance risk and reward?
For some businesses, becoming Strong Customer Authentication (SCA) compliant has simply been a hurdle they needed to overcome. Others have elevated this security requirement into an opportunity to rethink the customer journey, win trust and gain protection from liability.
I spoke with Dean Jordaan, Director of Payments at Microsoft, Oliver Steeley, Head of Payments at Marks & Spencer, and Thomas Zink, Lead Analyst at IDC about all things SCA.
We discussed the changes we’ve seen from 3DS to EMV 3DS 2.2 and what the recent UK SCA deadline really meant for businesses. We explored how business leaders are building exemption strategies to make SCA work for them. Plus, what businesses need to know to turn this regulatory requirement into a vital part of their fraud strategy.
The experience so far
Over the last year, UK and European consumers and businesses have been getting used to extra security checks when they shop or bank online. These checks aim to make digital transactions more secure and reduce the risk of fraud.
Yet despite the good intentions of regulators, businesses have rightly been concerned about the impact on conversion and revenue. Since SCA rules came into effect, the merchant and consumer experience has been mixed.
“Each merchant will experience SCA slightly differently based on the nature of their business,” said Dean Jordaan, Director of Payments at Microsoft. For example, Microsoft has its consumer-focused gaming business, a cloud business that is enterprise-focused as well as subscription businesses.
There are also different versions of the 3D Secure (3DS) protocol. 3DS version 1 was released in the late 1990s for web browsers. The updated version 2 is optimized for card payment on mobile devices and in-app, as well as for future form factors.
“You introduce something new into the payments industry, and it takes time for the full ecosystem to develop a maturity around a new capability,” said Dean.
This is a view shared by Oliver Steeley, Head of Payments at Marks & Spencer: “Our experience is that a good implementation of version 2.1 is probably delivering better results than an average implementation of 2.2. We’re not really seeing issuer take-up of all the features within [version] 2.2 yet – it will take a little while.”
Marks & Spencer has seen differences in SCA acceptance rates between credit and debit cards, and between mobile-centric and more traditional card issuers. As a result, it has changed the way it presents payment options and communicates with customers.
“If you’re paying on a device that supports Apple Pay, you may be presented with this as your default in a way that maybe you weren’t before. If your authentication abandons, you may get an e-mail from us that we perhaps wouldn’t have sent before,” explained Oliver.
Maximizing conversion and minimizing cart abandonment
Oliver summarized what is top of mind for most merchants: “What we care about is the transaction success rate. What route or method should I send this payment through that gives me the highest chance of success?” he said.
Thomas Zink, Lead Analyst at IDC agrees. “I think the key consideration still has to be maximizing conversion rates and minimizing cart abandonment,” he said. “Strategy is important. What we’ve heard is that the better you’re prepared, the better this will go.”
So, what are the key considerations for businesses when devising an SCA strategy? And where do exemptions fit in? Clearly, an SCA strategy should reflect your risk profile, industry sector, customer base, and trading split across countries, channels, value bands etc. Next, it should consider whether transactions are out of scope or exempt from SCA requirements.
As many as half of all ecommerce transactions could be out of scope of SCA if certain criteria are met, according to estimates from Visa. These include mail order/telephone order payments, anonymous prepaid card payments, transactions where either the card issuer or acquirer is outside the EEA, and merchant-initiated transactions, such as instalment, recurring and delayed payments.
The SCA exemptions include transaction risk analysis (TRA) where acquirer fraud rates remain low, trusted beneficiary payments where customers ‘white list’ sellers with their card issuers, and low value transactions.
It’s critical for businesses to understand their customer journeys in the context of SCA. If they identify and correctly flag out-of-scope transactions and exemptions, it helps prevent unnecessary SCA challenges and possible declines. And makes for a more frictionless checkout.
Making SCA work for your business
SCA has the potential to reduce ecommerce card fraud in the same way that chip and PIN reduced face-to-face card fraud. It offers a layer of protection against the fraudulent use of accounts. And shifts liability from merchants to card issuers in most cases. Leaning into it puts merchants in the driver’s seat.
Consequently, Thomas at IDC is philosophical about the future. “These things will evolve over time. There’s always a transition period where there’s friction and we will see increased cart abandonment, but they will work themselves out over time,” he said.
Moreover, he doesn’t believe that SCA will drive transactions away from cards, at least not in the long term. “SCA is just one part of the payment process. Everybody is ramping up their investments in fraud monitoring tools. As these tools get smarter and more efficient, this will allow businesses to push exemptions further, without causing more risk in the process,” he concluded.
There’s a balance to be struck between minimizing fraud losses and operational costs, optimizing the customer experience and maximizing revenue. No one says this is easy. But the good news is there is no one right way to balance these factors or devise an SCA strategy.
Each business can tailor and tweak their SCA approach for competitive advantage, depending on their own circumstances. And should be able to draw on the local knowledge, experience and expertise of their payment partner to do so.
To find out more about SCA, authentication and exemptions, download our guide.