In 2016, Card Not Present (CNP) fraud peaked at €1.3 billion in Europe, up from €794 million in 20121.
It was a similar story in the UK, where losses jumped from £247.3 million in 2012 to over £500 million in 20182.
For merchants, consumers, regulators, and financial institutions, this was an unsustainable situation. CNP fraud losses across the continent were significant and growing. As we lived more of our lives online, the risks only increased.
As we know, the European Commission’s answer was a new authentication standard for PSD2 compliance called Strong Customer Authentication (SCA). SCA promised to make transactions more secure, even at the cost of sometimes more complex customer experiences.
In this article, we’ll discuss the impact of SCA so far. Authentication is always a balance between security and customer experience. Has SCA got the balance right?
The advent of SCA for fraud prevention
SCA was the result of a journey that started with the original Payment Services Directive (PSD) in 2007 and continued with its successor (PSD2) in 2015.
Regulatory wheels turn slowly. While the European Commission published the Regulatory Technical Standard for Strong Customer Authentication in 2017, SCA has only recently been fully enforced in the UK and European Economic Area (EEA).
Was it worth the wait? SCA is undoubtedly a piece of game-changing authentication legislation. Most importantly, SCA demands 2 Factor Authentication (2FA) for all relevant transactions (although exemptions are available in certain circumstances) and links the authentication processes to a specific merchant and value. This makes it a major step forward in the war against fraud.
But has it achieved the fine balance between security and experience? SCA is still in its infancy, making its full impact difficult to gauge. But it’s possible to identify some early trends. Let’s look at those in a bit more detail.
SCA and fraud protection
The early figures on fraud prevention are tentative but promising. According to a European Banking Authority (EBA) discussion paper from last year3, “the share of fraud in total volume is five times higher for payments authenticated without SCA compared to the payments authenticated with SCA.”
CNP fraud rates are significantly lower in regions where SCA is enforced, and on transactions protected by SCA4.
That’s certainly positive, but there is another side to the story that demands equal weight. SCA may be reducing fraud, but it may also be driving some customers away. If so, the right balance between fraud management and customer experience has yet to be found.
The rise of 3DS
SCA legislation has driven the wide adoption of 3D Secure (3DS) for CNP transactions, a technical standard that adds an extra layer of security by allowing merchants to route transactions through to an issuing bank for authentication.
Properly implemented, 3DS is an excellent fraud protection tool. But it does add extra friction to customer journeys. That friction can lead to cart abandonment and customer dissatisfaction.
Some friction in authentication processes is almost inevitable. But one problem with 3DS is that implementation often differs between merchants, banks, and providers, leading to compatibility issues and dropouts.
Figures from 20195 found that 30% of CNP payments were lost through 3DS, and that was before SCA drove more widespread use of the technology.
3DS technology dates back a couple of decades, but even the introduction of the latest 3DS standard – 3DS2 – has not solved the issue. In 2021, it was found that abandonment rates through 3DS remained worryingly high6.
Research by Arcot, a major 3DS service provider, adds interesting detail to the wider picture. It finds that mobile apps have a far higher failure rate than browser journeys. In November 2022, for example, browser journeys had a 77% success rate, while the figure for mobile apps was just 52%7.
These figures suggest a significant compatibility problem and puts a question mark around SCA’s reliance on 3DS technology.
The fraud management balance
In other words, the impact of SCA has so far been mixed. It has certainly made a promising start as far as CNP fraud prevention is concerned, with a clear reduction in losses where SCA is enforced.
But heightened security has led to greater friction for customers, and current failure rates – especially those involving mobile apps – are probably unsustainable in the longer term.
It seems the perfect balance between keeping consumers secure and engaged is yet to be found. That’s naturally leading to calls for further change and greater technological innovation, to avoid clunky hand-offs, arduous bank authentication journeys, and unacceptable transaction failure rates. Happily, that change is not far away. Innovation looks set to alleviate some of the merchant world’s biggest challenges with SCA.
We will explore what that might entail in the next blog.