Authentication Versus Authorisation in the SCA Era

Ed Whitehead, EMEA Managing Director at Signifyd, talks us through two different approaches to Strong Customer Authentication (SCA) and how to avoid the downsides of the new regulations

Photo of a woman's hand holding a credit card as she makes a payment on her laptop

Since its enforcement in the UK in March 2022, SCA – designed to protect consumers and reduce the number of fraudulent orders for merchants – comes with added complications when determining the most efficient and cost-effective way for retailers to process online orders. 

Many discussions have been about how it adds friction to transactions and leads to lower conversions. The real conversation should be about what retailers can do to avoid the downsides.

The good news is that merchants have choices that can minimise or eliminate the friction that SCA brings. The not-so-good news is that making those choices is a complicated matter. 

Are merchants and card issuers fully prepared?

Choosing the right path means knowing whether the banks that support an online purchase for the merchant and the customer’s card issuer are fully prepared for frictionless SCA. It also requires an understanding of SCA’s exemptions and the requirements for requesting an exemption to SCA – for every individual order.  

By understanding which payment flow best accommodates the transaction process for a given order, merchants can optimise the customer experience they provide, which increases conversions and the likelihood a consumer will return for a subsequent shopping trip. 

How has SCA impacted the payments process?

Before SCA, merchants didn’t worry about whether they should seek exemptions in the payment process and just how they’d best go about that. They were working in a world without exemptions: optimisation was not a thing.

With SCA in place, the world has changed. 3D Secure, a protocol that facilitates authentication, has become the critical path to a successful transaction. But in the early going, 3D Secure has proven unsteady. Not all merchants, banks and payment processors are prepared and using the newest version of 3DS, a version that accommodates the exemption requests that are vital to a successful SCA strategy.

Now merchants need to understand whether the banks and processors they depend on are fully SCA-prepared or not. And if not, merchants need to be able to request SCA exemptions by processing orders along the authorisation path. 

Today, merchants need to be in the business of payment optimisation or live with the damage friction and cart abandonment cause their business. 

How has SCA changed the selling and shopping process?

First, SCA calls on consumers to demonstrate that they are who they say they are. They can confirm their identity using two of three methods:

  • Something they own (such as the device they used to buy).
  • Something they know (such as a one-time passcode).
  • Something they are (via biometrics, such as a fingerprint or retina scan). 

The regulation also comes with a batch of exemptions. These exemptions and related exceptions, called exclusions, are generally available when an order meets specific criteria: 

  • The order is low-risk and low value.
  • Both the merchant and its banks have kept fraud rates low, and the transaction meets certain limits — order values below €100 or between €100 and €250 or €250 and €500 depending on how low the merchant and bank’s fraud rates are. 
  • The transaction is “out of scope.” These include phone or mail orders, prepaid card transactions and orders when the acquiring or issuing bank is outside of the European Economic Area.
  • Trusted beneficiary — if a consumer’s bank agrees to allow it. The trusted beneficiary exemption can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption. 

What part does 3D Secure play?

Back to authorisation vs. authentication. Again, the backbone of authentication is 3D Secure. But, all 3D Secure is not the same. Older versions that have been in the market for years don’t allow merchants or banks to request exemptions. They always require a step-up, often requiring a shopper to click away from a merchant’s site to satisfy the authentication requirement. A newer version allows merchants and card-issuing banks to request exemptions. The newest version allows merchants, the merchant’s bank and card-issuing banks to request exemptions. 

Unfortunately, many European banks have not yet upgraded to the newest form of 3D Secure, meaning consumers will face an authentication challenge when buying, unless the merchant has requested an SCA exemption via the authorisation route.

The optimum strategy for merchants in the SCA era is to understand —through data —  the history of transactions regarding individual banks and payment service providers. That way they know whether the authentication route will result in a friction-free approval — meaning 3D Secure along the payment processing path is fully optimised for requesting and accommodating exemptions. Or would the better route be to request exemptions through the authorisation route? 

How can merchants navigate these challenges? 

All this means that merchants need to pay more attention to transaction data and get into the business of what is happening: Why was an order declined? What banks and payment processors were involved? They should be more demanding in asking for data from their banks and their payment service providers. They should ask for data and reports that show what orders are being declined and why. And they should consider working with partners who can readily marshal that kind of data and provide instant insights into the question: authentication or authorisation?

After all, optimising transaction flow is more critical than ever in the SCA era. And you can only make an intelligent choice if you have the proper data to guide you.


About the Author: Ed Whitehead is the EMEA Managing Director at Signifyd.