SCA Compliance – Tips to Know
Many businesses across the European Union and United States are studying how they can comply with new payments compliance measures. Here are a few tips to know.
The second Payment Services Directive (PSD2) is legislation from the E U that requires stronger fraud prevention checks by merchants and issuers. Many businesses are preparing to address the new legislation which aims to regulate how payment services operate in Europe and standardize local payment processes around financial product and service price and quality.
The goal of the legislation is to make payments safer, increase consumer protection, and foster innovation and competition by helping third party financial service companies to scale. However, it can introduce frequent complex customer authentication which can then result in increased friction to the customer journey and lower customer conversion.
PSD2 aims at reducing the risk of fraud for electronic transactions and protecting the consumer’s data through Strong Customer Authentication (SCA), which is one of the two requirements under PSD2.
What is SCA?
PSD2 is designed to reduce the risk of fraud for electronic transactions and protect consumer data through SCA by requiring two or more independent authentication elements for all electronic transactions.
SCA requires two or more of the following:
- Knowledge: Something you know (e.g., your PIN)
- Possession: Something you have (e.g. your card)
- Inheritance: Something you are (e.g. biometric ID)
SCA must be applied to every payment transaction when at least one party is located in the European Union, except in the case of allowed Transaction Risk Analysis (TRA) exemptions. It must also be applied when users view their payment account or parts of it through additional services, including the first time they view the account, and at least every 90 days.
While SCA does reduce the risk of fraud, therefore protecting the customers data, it also adds significant customer friction and disrupts the payment process. Regulators recognized that this would be the case, so TRA exemptions were also outlined and are regulated. Qualifying transactions can avoid the additional steps required by SCA, therefore avoiding disruption at the point of purchase. Examples of such exemptions would be when the payment is below a certain threshold or if the beneficiary is already identified.
What are Transaction Risk Analysis Exemptions?
Transaction Risk Analysis (TRA) identifies low-risk transactions under PSD2. TRA exemptions allow those transactions to bypass the SCA process. This enables a frictionless journey for low-risk customers who would otherwise experience unwarranted friction.
SCA exemption policies are based on the issuer’s fraud rates across their cards, and the acquirer’s fraud rate across their portfolio. PSPs must meet specific fraud thresholds tied to the value of individual transactions.
To take advantage of TRA exemptions and avoid SCA where possible, transactions must pass a robust risk analysis, or fraud screening.
Advanced Fraud Screening is required to Take Advantage of TRA Exemptions
PSD2 requires that risk analysis include six elements to qualify as robust fraud screening:
- Abnormal spending or behavioral pattern of the payer
- Unusual information about the payer’s device/software access
- Malware infection in any session of the authentication procedure
- Known fraud scenario in the provision of payment services
- Abnormal location of the payer
- High-risk location of the payee
How Does Kount Meet SCA Requirements for Robust Fraud Screening?
What is 3D Secure 2.0?
In addition to advanced fraud screening requirements, payments need to be authenticated with a technology that meets SCA requirements. While there are several payment authentication technologies, including Apple Pay, 3D Secure 2.0 (3DS2) is likely to be the most common since it updates 3DS technology, which already has wide adoption in Europe.
Card brands have started to adopt the 3D secure protocol into their services, which includes a liability shift for merchants. Merchants, in turn, are also starting to migrate to 3DS2 protocols from 3DS protocols or are starting to integrate 3DS2 into their purchase flow.
Whether you are authenticating payments inside or outside of Europe, without an effective fraud solution in place, 3DS2 can increase customer friction, lower conversion rates, and force merchants into high fraud rate programs. Learn more about how Kount protects the complete customer journey when using 3SD2 for payment authentication.