Interviews, insight & analysis on digital media & marketing

Strong customer authentication needs careful deployment for maximum success

By Paul Adams, Head of Acquiring at Barclaycard Payments

Strong Customer Authentication (SCA) will become a mandatory requirement for online payments in the UK on 14 March 2022. For the consumer, this ultimately means that they may not simply be able to checkout using just their credit or debit card details. Rather, they may also be required to pass a two-factor authentication process, by entering a PIN, a passcode sent to a mobile phone, or a fingerprint scan.  

Some companies have already started to implement SCA, with the deadline having been extended a number of times since it was first announced. Trials have been under way to understand how consumers would respond to the new processes, and for merchants to find ways to deliver the changes in the smoothest way possible. 

UK businesses also have the added benefit of learning lessons from abroad, as SCA has already come into effect across the European Economic Area (EEA) – allowing UK businesses to witness how their counterparts in mainland Europe have adapted. 

As the UK enters its final crunch time, UK Finance confirmed the final ramp up as soon as we come out of peak trading is going to be rapid and steep. While UK Issuers are maintaining a mild level of step-up and declines this side of Christmas, it will be a very different picture come 18th January, the date the UK enters a “sprint ramp up”. It’s essential everyone activates their 3DS solutions and keep a close eye on how the ramp up impacts your business. 

So, what steps should businesses be taking to perfect their SCA deployment strategies and what can we learn from the European rollout?  

  • Start using an upgraded version of 3D Secure (or “3DS”), but use it wisely

Firstly, if they haven’t already, merchants need to upgrade to at least version 2.1 of 3D Secure (EMV 3DS) – the technology used to allow banks to authenticate customers when shopping online with cards. The EEA & UK has until October 2022 to see the legacy version be decommissioned. Leading up to that, a number of benefits such as scheme authentication stand-in and liability shift have been removed to encourage the market to complete the upgrade. 

EMV 3D Secure will be the foundation for future upgrades. This latest version offers significant improvements over the legacy version, as it’s designed to better adapt to a mobile device, such as a phone app or tablet. It also allows the card issuer to, over time, collect more accurate data and prevent fraud more effectively, streamlining the payment process.   

However, by design, two-factor authentication adds friction into the customer journey. Automatically routing all transactions through 3DS may therefore result in higher basket abandonment rates and fewer purchases.

Our advice is to specify the transactions that need to go through 3DS, such as those with higher fraud risks. Some payment providers can help merchants distinguish between the transactions that do and don’t require two-factor authentication (see below), in order to reduce unnecessary friction.

  • Take advantage of SCA exemptions

The regulators recognise that certain types of low-risk transactions should be able to benefit from a low friction experience. They are exempt from two-factor authentication. Businesses need a clear strategy to take advantage of these “exemptions” wherever possible. By routing only the necessary transactions for additional authentication, businesses can optimise the payment experience for customers, while maintaining an effective fraud prevention for higher-risk transactions. In order to do that, merchants need to be clear on which exemptions they ought to use, and work with their acquirer and gateway partners to deliver them. 

Lack of clarity about the approved exemptions have led many European merchants to take an overly cautious approach, resulting in many transactions being routed through SCA authentication conservatively, and adding unnecessary friction to the customer journey. Based on the schemes’ data, EEA Issuers have been learning the benefit of exemptions this past year and approval rates have been consistently high in recent months, particularly for the Low Risk Exemption. 

To help businesses prepare for SCA, Barclaycard Payments launched Barclaycard Transact, a suite of tools designed to improve payment acceptance and protect merchants from fraud. Transact was delivered by Barclays Cubed, a next-generation commerce platform that uses sophisticated digital and data technology to enable secure, frictionless and seamless interactions between the bank’s millions of digitally-engaged customers and thousands of SME and corporate clients.

  • Flag transactions correctly

Merchants should not assume ‘out of scope’ transactions, such as Mail Order Telephone Order (MOTO) and Merchant Initiated Transactions (MITs), will remain unaffected. There have been an array of mandates introduced by the likes of Visa and Mastercard to facilitate compliance. Some are not so straightforward. 

Unless they are signposted correctly, credit or debit card issuers may misinterpret them to require SCA authentication, which could result in the transaction being unnecessarily declined. Top UK banks expressed that incorrect ‘out of scope’ flagging is estimated to be their leading cause for declines if merchants do not take corrective actions urgently. Merchants need to work with their payments providers to ensure that their transactions are signposted appropriately, to ensure an effective strategy for adapting to the new SCA requirements.

As credit and debit card issuers continue to ramp up their SCA activity ahead of the deadline for full roll-out in March, merchants need to take every opportunity to prepare themselves, or they’ll risk damaging both their customer experience and their bottom line through lost revenue. SCA should be a business-critical priority for ecommerce – those who underestimated the complexity of these preparations will not thank themselves in March!

  • Don’t forget to re-route ‘soft declines’ to 3DS 

There is a common misconception that ‘soft declines’ are only for Issuers. Many merchants and their gateways fail to prioritise their gateway’s soft decline handling capability. This has led to over 70% of the soft-declined transactions ending in hard decline when the EEA enforced SCA. As a result of this, cardholders would either have to restart the transaction or walk away from the sale. As UK goes through ramp up, a similar challenge could happen in the UK market if we don’t learn from the European experience. According to the latest UK Finance tracking, UK merchants lose 60% – 65% of transactions from the same error. 

To prepare for this, we need to go back to the basics of the set-up of 3D Secure. Merchants should pay close attention to the soft declines they receive even if it’s low in volume and work with their gateway to fix the problem before the ramp up impacts them further.