Strong Customer Authentication
How to Maximize the Remaining Time Before the Extended SCA Deadline
It has been an extraordinary year for e-commerce. As e-commerce web traffic now reaches a record high in 2020,1 merchants are contending with rising order volumes alongside supply and delivery issues.
With the flood of new e-commerce customers in 2020, and with bricks-and-mortar stores closed for months in 2020, payments fraud is increasing too.2 Strong Customer Authentication (SCA) is a new, key element of Europe’s revised Payment Services Directive (PSD2) legislation, designed to secure online transactions and reduce fraud.
The deadline for having SCA in place has been extended to 31 December 2020 in the EU and 14 September 2021 in the UK. After these dates, multi-factor authentication will be mandatory at checkout, typically by using 3-D Secure 2.0 (3DS2). As a reminder, this requires shoppers to provide two of three identifying factors, otherwise banks will be required to decline the transaction. Customers will need to provide:
- Something the shopper has—such as a code from their smartphone
- Something the shopper knows—like a password or PIN
- Something the shopper is—something inherent to the customer, such as a fingerprint or face recognition
Ahead of the deadlines, we’re advising our clients to:
1. Make Sure You and Your Partners are Ready
It’s not just merchants who need to be ready for SCA; the entire European payments ecosystem has to be ready to make it work. Implementing, testing and fine-tuning your payment systems takes time, so it’s essential to contact your payment service provider now, to ensure they are also ready and able to equip your site with 3DS2 to enable multi-factor authentication.
2. Consider Launching Before the Deadline
A key advantage of launching SCA in advance of the 31 December deadline and across all your e-commerce channels, is that once it is in place, liability for card fraud shifts from the merchant to the card issuer. This could mean significant cost reductions for merchants. Launching prior to 31 December also means that your system is tested and ready in advance to avoid any last minute risks.
3. Communicate the Changes with Your Customers
Clear messaging will pave the way for customers to accept the new interfaces and questions at checkout. Briefing customers ahead of time and building trust may lead to being assigned to consumers’ personal ‘whitelists’ later down the line. This is a feature that will allow shoppers to proceed without being subject to SCA checks for repeat transactions with a merchant that is a ‘trusted beneficiary’.
4. Minimize Your Fraud Rates Pre-launch to Help Qualify for SCA Exemptions
Exemptions apply to some transactions (for example, transactions under EUR30 subject to the cumulative amount of transactions since the last application of SCA not exceeding EUR 100), while merchants can also offer a more frictionless experience to customers depending on their own fraud score. For example, merchants can also apply to contract with a J.P. Morgan entity purposely established to currently facilitate merchants with a fraud rate below the regulatory six basis points threshold value to claim a transaction risk analysis exemption flag for transactions of up to EUR250.
Notwithstanding the extensions that have been granted, SCA is coming and will be mandatory in many EU regions within weeks. SCA implementation may viewed by some as an extra burden to deal with however we see it as an opportunity to ensure the most effective security protocols are in place and to future-proof our merchant clients.
Contact your local J.P. Morgan representative for further information on managing the risks, transitions and opportunities the e-commerce community is facing this year, and into 2021.