Imagine the basic rules of the road suddenly changed: instead of travelling on one side, drivers had to switch to the other. Among other consequences, you might expect a spike in accidents as motorists adjusted to the new regime.
Something similar is currently happening with online payments in Europe says Matt Henderson, Business Lead for EMEA at Stripe, who shares his thoughts on the lessons and warnings from the recent SCA rollout.
A sweeping new regulation that dictates how customers authenticate transactions began to be fully enforced last week in the UK, completing a long rollout process that started in Europe more than two years ago. The regulation has an admirable aim – to reduce payments fraud online – but its implementation has caused collateral damage. In particular, it has added complex operational burdens and led to an uptick in the rate at which legitimate transactions end up being declined.
In order to create a payments universe that is both safe and frictionless, Stripe has been building the technology to identify and address these pitfalls.
The regulation in question is Strong Customer Authentication (SCA). It was created by the European Commission as part of a larger regulatory effort called PSD2, and it changes how European customers authenticate online payments.
The aim of SCA was to reduce fraud by having the purchaser authenticate a transaction—proving they are who they say they are – usually through a protocol named 3DSecure (3DS). The protocol, first launched in 2001, includes a process whereby a paying customer visits their issuing bank’s secure web page to verify the authenticity of the payment. Updated versions – 3DS2, 3DS2.1, and 3DS2.2 – have been released in recent years, allowing businesses to send more information to issuers so that some transactions can be completed without requiring the customer to leave the checkout page.
In effect, SCA rewrote the rules for how all the parties in a transaction – the issuing bank, the cardholder, the business, and others – need to agree in order for it to go through. If any party isn’t prepared to implement the protocol, the authentication breaks down and the transaction fails.
And as SCA has been slowly enforced across Europe, the industry has seen a lot of failed transactions. Why?
For one, we’ve learned that even when a majority of payments participants have adopted SCA standards, many transactions still end up failing. This breakdown reflects a critical feature of online payments: they are only as strong as their weakest link, so that if even one participant in a multiparty transaction doesn’t follow SCA rules, or is unable to implement the regulation correctly, the whole transaction fails.
Let’s take issuing banks as an example. They have faced significant challenges implementing SCA standards. Especially in 2020, when SCA was just beginning to be enforced in the EEA, we often saw issuing banks return generic declines for transactions that easily could have been successful if only the bank had returned a soft decline while requesting more data.
There were significant variations in the level of enforcement across each country as well—with issuers in Denmark and Spain, for instance, more likely to soft decline transactions as compared to issuers in France. In markets like Germany and Italy, cardholder enrolment into SCA-compliant solutions with their issuing banks has also been a challenge because a large proportion of customers do not have two-factor-authentication (2FA) set up.
Similarly, we’ve seen significant variation in the way issuers perform when you compare them across the new 3DS2 authentication protocol and the older 3DS1 version. Some banks authenticate more transactions with 3DS2, which is what you’d hope for with an updated protocol. But in 2021, almost half actually performed better with the older 3DS1 version. The variance was so large that Stripe built a way to dynamically switch between 3DS1 and 3DS2 protocols depending on the issuer in the transaction.
Issuing banks are just one party in any transaction, and additional challenges come when different parties have to observe the new rules in tandem. Here’s one important example: over the last two years we’ve observed that when it comes to authenticating transactions, the type of device you authenticate from matters. SCA transactions initiated from a mobile device are 3% less likely to succeed than those originating from a desktop computer. This gap indicates that the process of redirecting mobile users to their banking app for authentication remains flawed.
While it’s clear, especially in the UK, that more issuers are correctly adopting 3DS2 along with its risk-based authentication process, there’s still a long way to go before 3DS2 becomes a successful default protocol for all issuers.
Even with these challenges, businesses get some benefit from SCA. The regulation shifts liability for disputes from businesses to issuing banks. But the costs of that benefit – measured by the number of failed payments – are still way too high. Visa estimates that 3DS transactions suffer from an 11 per cent drop in conversion rates. That’s more than one in 10 sales failing because businesses are complying with SCA.
The gradual rollout of SCA enforcement has prevented the worst outcome: businesses waking up one day to see their sales fall off a cliff. But there’s still a lot of work to do. All parts of the payments universe must now collaborate to ensure SCA achieves its goal of limiting fraud in online payments, without costing businesses sales and frustrating customers.