Strong Customer Authentication
A closer look at e-commerce fraud at the tail end of 2020 – and how SCA will influence it in 2021
The European deadline for Strong Customer Authentication (SCA) compliance is just weeks away. We’ve been looking at the payments ecosystem in terms of implementation, and what this major new change to online payments protocol means for e-commerce merchants.
SCA is designed to ramp up online security, and therefore reduce fraudulent transactions, providing extra protection for both consumers and companies. Despite the challenges of introducing a new protocol, arguably the hard deadline for launching it – 31 December 2020 – has come at the right time. Indeed, e-commerce fraud has jumped this year in line with rising e-commerce volumes.
However, a significant trend to note is that in recent months, among J.P Morgan’s own merchant clients, e-commerce transaction fraud has actually been reducing. As a proportion of sales, we've seen it go down across our portfolio, and we are seeing that risk continue to decrease.
We think there are a number of factors explaining this, including SCA. The positive factors reducing e-commerce fraud appear to be:
3DS 2.1 implementation
There has been a real uplift in merchants installing 3DS 2.1 this year to enable SCA compliance. The 2.1 iteration (and the even more recent version, 3DS 2.2) accepts a wider range of authentication methods, including biometric and SMS data. Importantly, as mobile commerce booms, the 3DS 2.1 interface integrates far better into mobile devices than the earlier 3DS 1 solution. 3DS 2.1 also allows merchants to take advantage of the exemptions that are available for SCA – for example, for recurring payments and for transactions under €30.
Boosting consumer awareness of online fraud
There is no doubt that, with physical retail reduced this year, fraudsters have focused on e-commerce payments in 2020. Research from OpSec Security suggests 86% of consumers have been the victim of some form of identity theft, credit or debit card fraud or a data breach this year, up from 80% in 2019.
But banks, card brands and merchants have all worked hard to inform their customers of the heightened risk, likely leading to greater consumer caution and awareness when spending online as a result.
Uptake of transaction risk analysis exemptions
This is a key way to exempt transactions from SCA requirements. It means that for merchants whose acquirer’s fraud rate sits below 13 basis points (bps) there’s no requirement for an SCA challenge for transactions of up to €100. If the acquirer’s fraud rate is below 6bps, that ceiling rises to €250.
Merchants with an applicable fraud rate of below 6bps can apply to join J.P. Morgan’s low fraud entity, which allows merchants to claim a transaction risk analysis exemption flag for transactions of up to €250.
There’s no doubt e-commerce merchants have faced an incredibly challenging year. Across Europe, different countries and different banking authorities are taking different approaches to launching SCA, so the best option for merchants is to be as prepared and consistent as possible, ideally well before the 31 December 2020 deadline.
When fighting e-commerce fraud, we always recommend taking an informed, multi-faceted approach that targets and addresses as many risk factors as possible. Implementing all three of the above measures will work towards that.
The launch of SCA will face challenges in 2021, and fraud undoubtedly remains a significant threat throughout the e-commerce ecosystem. But we believe we’re already witnessing a far more secure online payments environment for both e-commerce merchants and their customers.
Contact your local J.P. Morgan representative for further advice on the best way to manage the risks, transitions and opportunities the e-commerce community is facing this year and into 2021.