SCA and 3D Secure 2 – Europe’s new checkout authentication is going live!
Europe has been using a new authentication protocol for nearly a year now. The UK however got to push back the rollout, sighting businesses having enough on their plates with Brexit, as the main reason for late compliance. Not those words exactly but we are safe now saying, that the delay in using the SCA system is over and set to be law from March 14th 2022.
Why should I read on?
Mastercard says it expects about 25% of online transactions to require some form of extra verification by the customer after 14 March. Until now, only 1% of online purchases triggered the need to input a password, or similar. The chances are, a quarter of your customers are going to go through the new procedures.
So what’s SCA (Strong Customer Authentication) and what does it mean for your business?
SCA is a new European regulation that reduces fraud by making online and contactless offline payments more secure. SCA requires authentication for any purchase over £30/€30. SCA works by requiring merchants to build additional authentication into their checkout flow, using at least two of the following three elements:
- SOMETHING THE CUSTOMER KNOWS (e.g., password or PIN)
- SOMETHING THE CUSTOMER HAS (e.g., phone or hardware token)
- SOMETHING THE CUSTOMER IS (e.g., fingerprint or face recognition)
Banks will need to start declining payments that require SCA and don’t meet these criteria. For online card payments, these requirements apply to transactions where both the business and the cardholder’s bank are located in Europe, inc. the UK.
What is wrong with 3d Secure?
Credit card companies developed the first 3D Secure system in 2001. If you make frequent purchases online, you’re probably familiar with the 3D Secure flow. First you enter your card information to confirm a payment, and then are directed to another page where your bank asks for a code or password to authorize. For businesses, the benefit of 3D Secure is clear: additional information lets you build in an extra layer of fraud protection, ensuring that you only accept card payments from legitimate customers.
Unfortunately, there are several drawbacks to the usage of 3D Secure 1: the need for a further step at checkout causes friction and may cause consumers to abandon their purchase. Furthermore, many banks still require cardholders to generate and keep private passwords while using 3D Secure verification. These passwords are easy to forget, resulting in increased cart abandonment rates
Step up 3D secure 2!
3D Secure 2 allows businesses and their payment provider to submit more data elements with each transaction to the cardholder’s bank. Payment-specific data, such as the shipping address, as well as contextual data, such as the consumer’s device ID or prior transaction history, are all included in this. The cardholder’s bank can assess the risk level of the transaction and select an appropriate response:
- If the data is sufficient for the bank to believe that the actual cardholder is making the purchase the transaction goes through the “frictionless” flow
- If the bank decides it needs further proof, the transaction is sent through the “challenge” flow and the customer is asked to provide additional input to authenticate the payment.
3D Secure 2, in contrast to 3D Secure 1, allows merchants to easily share additional data from the customers and thus validate greater numbers of transactions without further customer input.
The enforcement of Strong Customer Authentication (SCA) has made 3D Secure 2 even more essential if you do business in Europe. Because this rule enforces extra authentication, the enhanced user experience of 3D Secure 2 can help to minimize the conversion-harming effect.
What happens if I do not update my store?
The new rules are being rolled out by the FCA, meaning all UK business need to comply or face heavy fines. More details of the FCA guidance can be found here.
How do I update my store?
Devstars are always on hand to help guide you through new directives like these. Please get in touch with us to discuss your store and for us to start a quick audit of the checkout process. The good new is, if you are using a modern payment gateway like Stripe and Braintree, they will have taken care of much of the work for you.