We’ve seen a lot of talk about about how the secret to successful strong customer authentication (SCA) is in the details — the exemptions, the exclusions, the version of 3DS in play.
But there is one other detail, one vital to maintaining magnificent customer experience can’t be overlooked: the importance of delegated authentication.
In simple terms, operating your ecommerce enterprise with delegated authentication is the only way under PSD2’s SCA requirement for a merchant to keep complete control of the experience it is offering loyal and newly acquired customers alike.
SCA – it’s a three-step process
SCA is a requirement of the new digital payment regulation PSD2 (payment security directive 2). It’s already in force in much of Europe and will be enforced in the UK beginning in March. It’s requirements have become recitable by rote: SCA requires that shoppers’ identities be authenticated by two of three methods:
● Something the user knows (such as a one-time passcode)
● Something the user has (such as a mobile device)
● Something the user is (such as a fingerprint, facial recognition, typing behaviour)
Unless a merchant takes action, the authentication process is ordinarily handed over to the cardholder’s bank. That means if you’re an online retailer, a consumer browses your website, finds that perfect something, adds it to a basket, hits buy and is whisked away to a bank’s site or app.
The site looks nothing like your site. The authentication process may be intuitive or it may be confusing. A shopper might persevere or they might find the experience off-putting and wonder just who it is gathering their personal information for authentication purposes. But the retailer no longer has control over the customer experience during the time of authentication.
Nicole Jass, senior vice president of product at payment technology company FIS, writing in PYMNTS Authenticated Payments Report described bank-initiative authentication this way:
“(It) often adds an extra step into the checkout process for customers, creating friction that could result in cart abandonment. Keeping SCA responsibilities in-house prevents merchants from routing customers to issuers’ domains, giving retailers more control over the experience and sparing issuers from taking on the task.”
No Delegated Authentication? Say goodbye to sales
That switching among sites to make an online purchase is no doubt a key reason that SCA’s rollout has resulted in dramatic cart abandonment across Europe. Payment consultancy CMSPI’s latest report on the economic impact of SCA found a transaction failure rate of 25% region wide in June. The figure was as high as 38% in Belgium. The CMSPI extrapolated that if such abandonment rates persisted, European merchants stood to lose more than €76bn in sales this year
And while contemplating that disjointed customer experience is discouraging enough, it gets worse…
Depending on the bank card you use, your experience shopping with a particular retailer might be far-and-away better than someone else who uses a different card or someone who uses more than one payment card.
And when issues occur, who does the consumer contact? The merchant? The bank? Does the merchant know when something goes wrong at the bank? Does the bank know if the merchant was at fault? Or does it all remain a mystery in the consumer’s mind.
And let’s not forget the poor merchant. They could easily lose a customer for life, simply because the consumer’s bank was ill-prepared for the new SCA requirements. A Signifyd consumer survey found that 53% of consumers will accept no more than one bad online experience from a retailer before choosing not to shop with them again.
The time is now for delegated authentication
Unfortunately, taking the reins of customer authentication is not entirely up to a merchant, and so delegated authentication is a must have. But how do we get there?
The cardholder’s bank will accept the liability under SCA for authenticated orders that are fraudulent and therefore they have an interest in controlling the process. They will delegate the authentication procedure to a merchant that has demonstrated that they have fraud under control. A key reason why robust fraud protection is even more important in the SCA era.
Visa and Mastercard have gone a long way to removing another major complication to merchants taking on delegated authentication. Initially, a merchant would need to connect with every bank that issued a credit card that one of its customers used on its site. The merchant would need to get approval one-by-one from banks to authenticate consumers with that card.
The card companies, however, have stepped up to act as a clearinghouse between merchants and banks that issue their cards. Banks have also shown a willingness to accept the assurance of other trusted third-parties — say a reputable fraud protection provider — as sufficient to hand authentication over to a merchant.
A good detail to know for merchants already operating under SCA’s requirements and for those in the UK who will be managing the new payment requirement soon enough.