SCA exemptions: A merchant’s best friend, with complications

When it comes to online commerce, much of Europe is living in a new payment regulation era — and the UK will soon follow. It’s an era of two-factor authentication, exemptions, step-ups, transaction legs that are either in or out — and a more secure ecommerce shopping experience for consumers. Polling and industry anecdotes indicate that for many, SCA, which stands for Strong Customer Authentication, might as well mean Something Causing Anxiety. Merchants and consumers know something is changing, but exactly what, for whom and when, well, that’s a little unclear. But there are ways that UK merchants and brands can embrace SCA by 14 September, the date on which the regulation will be fully enforced. A quick refresher: SCA is required under the sweeping digital payment regulation known as PSD2. It is already being enforced through much of Europe. It is meant to better secure online checkout by requiring that shoppers be authenticated by two of three methods: something the user knows (such as a one-time passcode), something the user has (such as a mobile device) and something the user is (such as a fingerprint, facial recognition, typing behaviour). The key to getting SCA right is to conduct the required two-factor identification without adding inconvenience to the checkout process. And that starts with understanding the exemptions and exclusions contained in the requirement and how those elements best apply to your particular business. Wisely deploying exemptions will allow a significant percentage of transactions to be exempted from the regulation — under the right conditions. As you’ve probably guessed, establishing those conditions has become more important than ever. It’s also important to note that while exemptions and exclusions, which we’ll get to shortly, benefit merchants and their customers, control over whether they are available to a merchant is largely in the hands of a merchant’s payment service provider or a cardholder’s issuing bank. In general exemptions — and their close cousins, exclusions — are available when an order meets certain conditions: The order is low risk and low value. The merchant and its bank have maintained a low fraud rate and the transaction meets certain value limits. The transaction is considered “out of scope.” The list for these exclusions includes phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the European Economic Area — or “one leg out transactions. One other exemption is available, but a consumer’s bank must agree to allow it in order for it to be applied. It’s called the “Trusted Beneficiary” exemption. It can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption. Similar to exemptions, “out of scope” transactions can also be processed without SCA. In some instances SCA simply does not apply. Think phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the European Economic Area (this is where the “one leg out” phase is used). In the case of a merchant-initiated transaction, a subscription for instance, SCA needs to be performed only once to authenticate the buyer. Visa, among others, has provided a specific list of exemptions and exclusions. It becomes evident, scouring the Visa list, that while helpful, exemptions are also limited. Consider low-value transactions for instance. It’s great that transactions below €30 can bypass SCA. But what if you sell jewellery, luxury watches, electronics, high fashion, home goods, sporting goods, groceries, auto parts or sell in any of the nearly limitless verticals that offer products or groups of products upon which consumers typically spend more than €30 on? Oh and there is a catch: Even low value transactions need to undergo SCA periodically — every five transactions under €30 must undergo SCA, as must an order once the cumulative value of low-value transaction reaches €100. Or consider allow-listing. First off, a consumer needs to be aware there is such a thing. A merchant might add a notice at checkout suggesting, “If you like shopping with us, ask your issuing bank to allow-list our store.” All of which leaves a consumer saying, “Ask my what to do what now?” And even if consumer consciousness-raising is a success, think about the bank that issued the consumer’s credit card. By agreeing to allow-list a merchant, the bank takes on liability for any fraudulent orders. So in one stroke, the bank allows the order to bypass increased scrutiny and agrees to be on the hook for orders that are not legitimate. That’s not a lot of incentive, to put it mildly. None of which is to say that exemptions should be ignored. Exemptions are a powerful way to provide a seamless experience for customers. When an exemption is approved, the customer doesn’t have to worry about the transaction being stepped up by requiring two of the three SCA authentication methods. And so, retailers want to be in a position to take advantage of exemptions. One thing that quickly becomes obvious when planning a robust exemption and exclusion strategy is that the starting point for taking advantage of SCA exemptions is to ensure that your enterprise is a solid citizen when it comes to preventing fraudulent sales. Take the most obvious case: In order to take full advantage of the low-risk transaction exemption, a merchant needs to keep its fraud rate below an exceedingly low .01%. That clears the way for purchases under €500. Exemptions for purchases under €250 and under €100 are also available for merchants with fraud rates of .06% and .13% respectively. It’s important, then, to include a powerful fraud protection solution in your overall SCA strategy. A low fraud rate is vital to securing exemptions and exemptions are vital to producing a top-flight customer experience. Embracing a modern machine-learning fraud solution that sifts fraudulent from legitimate orders in an instant while seamlessly scaling does far more for a merchant than simply ensuring it can use exemptions. Yes, doing away with SCA is one of the best things about exemptions, but it is also one of the worst things about exemptions. Sure, an exemption eliminates the potential friction added to the buying journey by two-factor authentication, but an exemption also sidelines the extra protection that step-ups provide an online seller. A constantly learning automated fraud solution with a financial guarantee provides the protection needed to ensure good orders are shipped and fraudulent orders are declined. Merchants and brands will want to be able to confidently pursue an aggressive exemption strategy without worrying about new vulnerabilities that fraud rings will look to exploit. Consider the irony of working so hard to maintain a low fraud rate in order to take advantage of exemptions, only to have those exemptions ultimately lead to a higher fraud rate. As with many things in commerce, it’s best to take a holistic view when you’re considering how SCA and its exemptions fit into your entire risk management plan.