Is SCA enough? Adopting a multi-factor solution to fight fraud

With the European Commission first adopting the PSD2 proposals in 2015, Strong Customer Authentication (SCA) has now officially come into force across the UK. Now that this long-anticipated wait is over, we can start to look at what SCA means in practice and how merchants can do go beyond these regulations.

by Scott Dawson, Director of Operations, Pixxles

How SCA impacts merchants

In simple terms, SCA requires a customer to verify themselves with two of the three following pieces of information, such as a password, mobile device, fingerprints, facial recognition, or even subtle cues like how they type before payments can be processed. Although these regulations introduce increased friction in the payments process, SCA is necessary to prevent fraud.

Overall, the roll-out of SCA across Europe as a whole has been smooth, despite alarming news of a third of all transactions being blocked and losses of €100 billion. This is likely to be down to the flexibility built into SCA from the outset: transactions under €30 were exempt, and many merchants will receive exemptions on transactions up to €30 if their acquirer’s fraud rate is below 13 basis points and €250 if their fraud rate is below 6bps. This flexibility encourages acquirers and merchants to be proactive about fraud, as the lowered friction from a lack of SCA challenges will likely translate into more sales.

Despite offering increased protection, European eCommerce merchants have seen fraud rates rise as much as 350%. However, this does not indicate that SCA is not effective. The sharp influx in fraud, in general, is down to the rise in new eCommerce shoppers during the pandemic. In fact, if SCA was not in place, it is possible that this figure could have been even greater. Therefore, SCA should be seen as one of many systems that a merchant should have in place if they want to reduce fraud on their eCommerce site.

A collaborative approach to reducing fraud

With that said, what then are merchants’ options for going beyond to minimise fraud rates even further than SCA regulation currently allows, whilst maintaining a frictionless payment process for legitimate customers?

First and foremost, it is important to understand the exemptions process and what level of protection is available to your company. For example, if your fraud rate is already very low, you might have the option of exempting customers from SCA. In order to do this, you will need to contact your current acquirer, and if your current payments partner can’t offer you high enough exemptions you may need to consider changing acquirers.

Next is to adopt additional security technology to support SCA. There are a number of systems that use AI and machine learning to spot the signatures of fraud before it gets to the payment stage. Very few fraud attempts are carried out by a human being on a computer – instead, bot networks with increasingly sophisticated and humanlike behaviour are used to carry out hundreds of automated attacks simultaneously. This is a powerful tool, but there are some obvious tell-tale signs when attacks are carried out by machines that AI can spot. Due to the accuracy of AI, even when attacks break through machine learning can be used to prevent them from happening again.

Lastly, attacks are not always malicious in nature. Around 90% of merchants say that ‘cardholder abuse of the chargeback process is a leading concern for their business. While sometimes this abuse can be intentional, it could also be innocent. For example, a customer might not recognise a charge on their card statement and, instead of looking into it, asks their card provider for a chargeback. It is possible to put systems in place that can dramatically reduce both malicious chargebacks and unintentional ‘friendly fraud’. Having robust order-tracking systems in place is one way to cut down on chargeback claims from customers who think that their order has been lost when it is in fact running late.

Continually evolving to fight fraud

When it comes to fraud prevention, collaboration in terms of tools and expertise is key. As we have seen, by itself SCA isn’t the one and only solution for fraud, but when combined with multiple anti-fraud systems and a focus on learning more about current threats it can become part of a multi-factor solution.

Therefore, although SCA is a step in the right direction, in order to keep up with the fraud ecosystem you will need to be continually evolving too.