The Strong Customer Authentication (SCA) era is upon us. SCA is a key requirement of the PSD2 directives. Its main objective is to protect consumers and institutions in the EEA and the UK from fraudulent electronic payment transactions. However, the most sophisticated fraudsters have already started adapting to SCA. How can online merchants or financial institutions keep those fraudsters from thriving? Let’s explore.
SCA – A Quick Recap
SCA is a European regulatory requirement. Under this regulation, banks or payment service providers must ask consumers for at least two authentication factors based on the following elements:
- Something that only the consumer knows (knowledge – e.g., password).
- Something that only the user possesses (possession – e.g., mobile phone).
- Something the user is (inherence – e.g., facial biometric data).
There are exceptions where SCA isn’t mandatory. For example, transactions under €30 or regular subscribers can be exempted from these steps. By following SCA, online merchants can make sure that their consumers are fully informed and making active decisions to authorize payment transactions.
Although some critics argue that strong authentication is a complicated compliance exercise, the general feeling is that it can be a driver for innovation.
- With SCA, utilizing new services like spending analytics, top-up/pre-paid credit cards, etc., becomes easier for merchants.
- SCA is a convenient locking system for consumers who want to protect their money. Getting this multi-factor lock that’s easy to use makes online shopping more secure.
- SCA necessitates digital identity verification; for legitimate shoppers, it can deliver fantastically convenient online shopping experiences, whereas, for fraudsters, the challenges are more complex.
Evolving Fraud Challenges in the Era of SCA
Just like every business owner in the world, fraudsters keep investing in new technologies to keep up with these changes. They, too, want to stay profitable, so even in the SCA era, fraudsters are busy honing their tools and techniques. As long as consumers and merchants are not up to date, they’ll keep discovering new abnormalities like –
- Since transactions below €30 are considered ‘low-value as per SCA regulations, many fraudsters are reducing their cart sizes to €29. So, merchants must make sure their fraud detection tools are flagging such fishy transactions.
- Many merchants in the UK and the EEA have reported seeing non-UK and non-EEA-issued cards for fraud attempts. Such foreign transaction attempts are considered out of scope for SCA. They’re also known as one-leg-out (OLO) transactions are.
- Although the Use of promo codes for transactions has always been considered safe, in the SCA era, the people using these codes are often not cost-conscious consumers – they’re fraudsters. For example, a promo code can be used in a fraudulent transaction to reduce the cart size below €30.
- Even though EMV 3DS is currently available, fraudsters are already attempting to imitate genuine customer behavior while shopping from mobile devices. So, having a fraud prevention strategy that’s optimized for mobile traffic is vital.
Many merchants are developing strong SCA exemption strategies. They want as many transactions on their platforms to be exempted from SCA analysis. That’s because they want the shopping experiences to be fast. But, cybercriminals who commit account takeover fraud (ATO) see this as a weakness and prey on consumers’ payment accounts.
The Definite Solution
So, even in the era of SCA, the threat of fraudsters still looms large. The main threats in this current environment are ATO and false transaction requests. But, the best cyber-fraudsters always monitor trends and adapt their strategies as per major regulatory changes or changes in eCommerce security software tools.
Thankfully, there are Machine Learning or ML-powered account takeover fraud prevention tools that also evolve with these evolving fraud threats. These tools use “Device Intelligence” to detect account takeover or false transaction attempts. Basically, these types of software tools analyze the shopper’s device (and all associated identities with the device).
Then, the tool assesses all recent transactions made by the customer across various digital channels. Whether you make these transactions from mobile applications or via mobile/desktop browsers doesn’t matter. These tools verify the real identity of every shopper.
If the results are negative, the risks can be mitigated in real-time. If not, the customer experience is not hampered at all as these software tools make complicated decisions in real-time. Some other ways to mitigate fraud in the era of SCA include:
- Make sure your fraud prevention tool is compliant with the SCA process.
- Adopt highly strategized approaches to exemptions, out-of-scope transactions, and bans.
- Reach out to consumers, payment service providers (PSPs), and also fraud management professionals for additional help and advice from time to time.
Account takeover (ATO) fraud attempts increased by 282% between Q2 2019 to Q2 2020. Oddly enough, that was the time period when almost every business in the EEA was starting to become SCA-compliant. That’s why merchants must use the best account takeover fraud prevention tools, even in the era of SCA!