The European Union (EU) has become a leader in consumer protection. This can create some complications for businesses, including merchants, banks, payment processors, and other stakeholders. In the long run, many of the EU’s efforts could benefit businesses, but it’s crucial to remain apprised of the regulatory and consumer protection environment, lest you fall on the wrong side of requirements and end up penalized.
One important concept to understand is Strong Customer Authentication. Strong Customer Authentication (SCA) was implemented as part of the Payments Services Directive 2 (PSD2) and requires banks to ask for a second form of ID to confirm that the person using a credit card or credit card data is actually the cardholder. SCA started to roll out back on September 14, 2019, and has been gradually expanded to cover more transactions.
While the SCA was championed by the EU, transactions in the United Kingdom must also conform to the standard. Further, since SCA applies to the European Economic Area, it is also required in Iceland, Liechtenstein, and Norway, even though said countries are not part of the EU. We’ll take a look at what the SCA is and what it means for businesses.
The Rise of Strong Customer Authentication
Fraud is a major issue with online payments and many cardholders have been defrauded over the years. Businesses have been defrauded too, of course, and when cardholders get hit by fraud, they often file chargebacks. Unfortunately, chargebacks result in lost revenue and chargeback fees, among other penalties for merchants.
Governments have taken many measures to protect cardholders. Legislation decades ago paved the way for the chargeback process. The SCA is a more recent initiative, being part of the PSD2, which was passed by the EU parliament on November 16th, 2015. The EU is working on a PSD3, which may increase payment security in the future
SCA was initially rolled out to cover online transactions but has since expanded to cover in-person transactions. Online transactions are card-not-present (CNP) transactions, meaning that the cardholder isn’t physically presenting the card to the merchant as they typically would during an in-person transaction. In the lead-up to the roll-out of SCA and the passing of the PSD2, the European Central Bank reported that CNP fraud had increased by 66% between 2011 and 2016, accounting for nearly 75% of fraud (2016).
Strong Customer Authentication Explained
Quite simply, Strong Customer Authentication requires banks to verify that the person using the card is actually the cardholder by asking for a second form of identification. It’s relatively easy for fraudsters to gain access to a credit card or credit card number to then make unauthorized purchases. Acquiring a second form of ID requires more effort on the part of the fraudster, and in practice, is much more difficult to pull off.
Since CNP transactions present the most risk and make verification more difficult, in general, these transactions were the first to require SCA. How can banks ask for ID with online transactions? There are several methods, including asking for:
Something confidential a cardholder should know- Can include passwords, Personal Identification Numbers (PINs), or an answer to a security question.
Something the cardholder owns or has access to- Verification messages can be sent to a mobile phone, computer, or other device associated with the customer, for example.
Biometric data- Such as a thumbprint. Many electronic devices are equipped with a thumbprint reader or face scanner.
As for in-person transactions, securing a second form of ID is a bit more straightforward. The cardholder can simply be asked to plug in a pin at the payment terminal. A second form of ID has been required since September 15th, 2021. Having customers type in a PIN is one way to get the required second ID.
Organizations that fail to meet SCA requirements could be fined a maximum of at least 10% of their annual turnover. Individuals face a maximum of at least EUR 5,000,000. Given the potential penalties, it’s crucial to ensure that you’re in compliance.
3D Secure and SCA
One easy way to meet SCA requirements is to use 3D Secure (3DS). This system was created by Visa and Mastercard, and once enabled, cardholders are asked to verify their identification with their card issuing bank. This makes it an especially easy option for merchants as other stakeholders are handling the work.
The Global Environment and Second Forms of ID
Not all jurisdictions require a second form of ID. However, many jurisdictions have or are rolling out similar requirements, including India, Japan, and Australia. Currently, the United States does not require a second form of ID but many payment gateways, merchants, and other stakeholders have been implementing measures on their own. Doing so can reduce fraud, chargebacks, and other issues.
Ultimately, while Strong Customer Authentication is an European Union-initiated measure, it’s likely more jurisdictions will continue to roll out similar measures. It’s also wise for merchants the world over to consider steps they can take to combat fraud, such as enabling 3D Secure. Doing so can reduce fraud, prevent chargebacks, and ultimately make shopping safer for businesses and cardholders alike. Merchants can also require a second form of ID, such as a keycode sent to a customer’s smartphone, before they can log into an online account to make purchases.
Fraud and chargebacks will remain a threat, of course. Already, fraudsters are figuring out ways to get around second ID requests and similar measures, say by gaining access to a customer’s PIN through phishing attacks. Further, if a cardholder engages in first-party fraud, abusing the chargeback process to try to secure free goods and services, SCA and the like aren’t particularly effective. Fortunately, the tools provided by ChargebackHelp can be used to combat first-party fraud and chargebacks in general.