Acquiring, Daily news, E-Commerce, Fraud & Security, Identity, Issuing & Acquiring, M-Commerce, Regulation, SCA, Strong Customer Authentication, Strong Customer Authentication (SCA) -

Understanding Authentication Vs Authorisation in the SCA era

Since SCA (Strong Customer Authentication) was introduced for online retailers in the UK earlier this year, there have also been added complications for merchants when determining the most efficient and cost-effective way to process customer orders online.

A digital retail sector

Authentication Vs Authorisation in the SCA era

Up until now the main concern with SCA has been about how the new consumer authentication regulation adds friction to transactions and can therefore lead to higher basket abandonment rates – writes Shagun Varshney, Senior Product Manager, Payment Optimisation, Signifyd.

The real conversation, however, should be about what retailers can do to avoid the downsides of the new regulation, and turn it into an opportunity rather than a set-back.

Despite the enforcement, retailers still have the choice to minimise or eliminate the friction that SCA brings, however making those choices has become more complicated.

One of the ways to look at it is authentication vs authorization. Merchants need to maximize the strategy of requesting exemptions, and authentication and authorisation are the two ways of executing on those requests.

Understanding the payment flow

Choosing the right path means knowing whether the banks that support an online purchase for the merchant and the customer’s card issuer are fully prepared for frictionless SCA. It also requires an understanding of SCA’s exemptions and the requirements for requesting an exemption to SCA. And it requires those insights for every individual order.

By understanding which payment flow — authentication or authorisation — best accommodates the transaction process for a given order, merchants can optimise the customer experience they provide, which increases conversions and the likelihood a consumer will return for a subsequent shopping trip.

The new world of SCA

First some quick background: In the pre-SCA era, merchants didn’t worry about whether they should be seeking exemptions in the payment process and just how they’d best go about that. They were working in world without exemptions. Optimisation was not a thing.

With SCA in place, the world has changed. 3D Secure, a protocol that facilitates authentication, has become the critical path to a successful transaction. But in the early going, 3D Secure has proven unsteady. Not all merchants, banks and payment processors are prepared and using the newest version of 3DS, a version that accommodates the exemption requests that are vital to a successful SCA strategy.

Now merchants need to understand whether the banks and processors they depend on are fully SCA-prepared or not. And if they are not, merchants need to be able to request SCA exemptions by processing orders along the authorisation path.

In short: Today merchants need to be in the business of payment optimisation or live with the damage friction and cart abandonment cause their business.

How SCA changed e-commerce

Let’s look at how SCA has changed online selling and shopping. First, SCA calls on consumers to demonstrate that they are who they say they are. They can confirm their identity in two of three ways:

  • Something they own (such as the device they used to buy).
  • Something they know (such as a one-time passcode).
  • Something they are (via biometrics, such as a fingerprint or retina scan).

The regulation also comes with a batch of exemptions. These exemptions and related exceptions, called exclusions, are generally available when an order meets certain criteria:

  • The order is low-risk and low value.
  • Both the merchant and its banks have kept fraud rates low and the transaction meets certain limits — order values below €100 or between €100 and €250 or €250 and €500 depending on how low the merchant and bank’s fraud rates are.
  • The transaction is “out of scope.” These include phone or mail orders, prepaid card transactions and orders when the acquiring or issuing bank is outside of the European Economic Area.
  • Trusted beneficiary — if a consumer’s bank agrees to allow it. The trusted beneficiary exemption can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption.

The role of 3D Secure

So back to authorisation vs. authentication. Again, the backbone of authentication is 3D Secure. But, all 3D Secure is not the same. Older versions that have been in the market for years don’t allow merchants or banks to request exemptions.

They always require a step-up, often requiring a shopper to click away from a merchant’s site to satisfy the authentication requirement. A newer version allows merchants and card-issuing banks to request exemptions. The newest version allows merchants, the merchant’s bank and card-issuing banks to request exemptions.

Unfortunately, a significant number of European banks have not yet upgraded to the newest form of 3D Secure, meaning consumers will face an authentication challenge when trying to buy, unless the merchant has requested an SCA exemption via the authorisation route.

The optimum strategy for merchants in the SCA era is to understand —through data —  the history of transactions when it comes to individual banks and payment service providers.

That way they know whether the authentication route will result in a friction-free approval — meaning 3D Secure along the payment processing path is fully optimised for requesting and accommodating exemptions. Or would the better route be to request exemptions through the authorisation route?

How can retailers navigate these changes for the better?

All this means that merchants need to pay more attention to transaction data. They should get into the business of what is happening: Why was an order declined? What banks and payment processors were involved?

They should be more demanding in asking for data from their banks and their payment service providers.

They should ask for data and reports that show what orders are being declined and why. And they should consider working with partners who can readily marshal that kind of data and provide instant insights into the question: authentication or authorisation.

Keeping an eye on transaction flow and keeping it optimised is the secret to success in the SCA era. In order to make informed decisions, data is key to supporting your plans and helping to drive you forward.


The post Understanding Authentication Vs Authorisation in the SCA era appeared first on Payments Cards & Mobile.