The Journey to Strong Customer Authentication, How it Works and its Benefits

Strong Customer authentication (SCA) must be fully implemented across all the UK by March 14th 2022. SCA and 3D Secure 2.0 are the latest measures in the industry’s response to online fraud. We look back on 2 decades of initiatives and collaboration in fighting online criminals.

The 20 year industry battle against online fraud and cyber criminals

The presence and prevalence of card and online fraud has continued to attract an industry response to the attempts of criminals to defraud customers, merchants and organisations.

It is now two decades since the Dedicated Card and Payment Crime Unit (DCPCU) was established, a police unit responsible with investigating, targeting and, arresting offenders responsible for payment fraud crimes. Fully sponsored by the finance and banking industry, the unit prevented £85million from being stolen in the first half of 2021 alone and led to the arrest of almost 70 suspected criminals.

Over the 20 years since the DCPCU’s establishment, continuous industry initiatives as well as the development of policy and procedures have been developed.

The creation of the Fraud Intelligent Sharing System and The Financial Fraud Bureau, in 2008 and 2010 respectively, both enabled cross-sector engagement to identify and stop incidences of fraud. The introduction of the Banking Protocol in 2016 empowered bank branch staff to contact police if they suspected a customer is being scammed, leading to almost 1,000 arrests so far.

Security procedures like 3D Secure, first developed in 1999 and rolled out over the following decade, had also provided an extra layer of security when a customer made an online card payment.

These responses had a tangible impact as the value of internet/e-Commerce fraud decreased on UK issued cards in 2019 – for the first time within that decade – with a 9% drop when compared to 2018.

UK Finance Fraud Timeline

UK Finance’s Fraud The Facts’ Timeline

Unprecedented Events Challenges Industry Response to Online Fraud

However, the quote, “Events, dear boy, events,” often attributed to former Prime Minister Harold MacMillan when asked to define the greatest challenge a leader, industry or organisation may face, encapsulates the situation businesses and the financial sector found themselves facing 2 years ago.

The rapid acceleration towards card, contactless and online payments because of the Covid-19 pandemic heightened the opportunity for online fraud with criminals adapting their methods to take advantage of the jump in remote working, as well as exploiting the jump in increased online shopping.

The value of Internet/ eCommerce fraud increased by 4% in 2020 to £376.5m and, with the exception of 2018 and 2019, was significantly higher than every year in the past decade.

Criminals’ exploitation of the unprecedented situation reflects the the necessity of Strong Customer Authentication (SCA) – requiring multi-factor authentication – for both customer and merchant.

SCA is part of the second Payment Services Directive (PSD2), which was originally due to be implemented in 2019. Following a number of extensions in the UK the deadline for businesses to implement SCA is now set for March 14th, 2022.

Ensuring the implementation of 3D Secure is a key way for merchants to comply with the SCA requirements.

3D Secure (3DS)

The purpose of 3D Secure 1.0

Developed at the end of the 90s and implemented over the following decade, 3DS’s purpose was to limit card not present transactions as e-commerce grew more popular by adding an extra layer of protection to transactions with the cardholder being directed to a new webpage to complete an authentication challenge with a passcode or password.

Since the authentication step took place on a separate webpage, merchants did not collect cardholders’ 3DS passwords and liability for authenticating transactions was the responsibility of the card-issuing bank.

Limitations of 3D Secure 1.0

However, 3D-Secure had a number of limitations leading to a modest uptake and significant cart abandonment issues.

The additional authentication steps, necessity to remember additional passwords and redirect away from the merchant’s website impacted the online shoppers.

As well as this, the banking and financial sector has changed significantly since 3D-S was initially developed. Mobile commerce was non-existent when 3D-S was designed for desktop based web browsers – over 87% of UK adults now own a smartphone – and the arrival of new online payment options has revolutionised the industry and how we make transactions.

Given these drawbacks, technological advancements and limited uptake, 3D-Secure 2.0 was developed to address these issues.

3-D Secure 2.0

The development of 3.D-Secure 2.0 creates an improved user experience by eliminating the webpage redirect issue, offers better authentication processes with far more data points verifying transactions and can be supported on all kind of devices, as well as being integrated with mobile wallets.

Merchant support of 3DS should ensures readiness for online transactions and avoid/ reduce declines after Strong Customer Authentication (SCA) is implemented.

Strong Customer Authentication (SCA)

To increase the security of electronic payments, Strong Customer Authentication (SCA) ensures that electronic payments are performed with multi-factor authentication.

How Strong Customer Authentication works

It requires cardholder data from at least two of the following categories to be provided during the authentication process:

Exemptions and risk-based authentication

Depending on the risk, amount and channel, SCA exemptions may be applied by acquirers and banks to balance fraud reduction with frictionless online shopping experiences.

Exemptions on payments under €30 allows payment providers to avoid applying SCA for online payments under that value up to a certain cumulative limit. Low risk transactions, recurring payments and white listed merchants can also be exempt from the SCA challenge.

It is important to note that whoever requests the SCA exemption bears the fraud liability risk.

You can find more on this and exemptions on our SCA FAQ page.

Risk based authentication also allows the issuing bank to decide whether to approve the transaction depending on the data and information it has by considering:

  • The cost of the transaction.
  • Whether the customer has purchased from the merchant before.
  • The customer’s transaction history.
  • The customer’s behavioral history.
  • Information about the customer’s device.

The transaction may therefore be approved without the SCA challenge if there is enough information to verify the transaction.

Merchants and customers to feel the benefits of SCA

While, as with any new technology and systems, it may take time for merchants and customers to become familiar with the SCA process, it will enable a better customer experience across all payment device and channels.

SCA will lead to:

  • increased consumer confidence in e-Commerce environments and encourage greater numbers to buy online
  • a reduction in fraud and chargebacks and fraud-related liability protection for merchants when SCA is applied to a transaction.
  • improved user experience with better data flow and use of exemptions allowing for potentially less authentication challenges resulting in reduced cart abandonment rates.

UK businesses to become SCA compliant by March 14th

Given the steep increase in online/ eCommerce fraud as consumers significantly increased their familiarity with online shopping over the past two years, the need for SCA is evident.

The full implementation of SCA across all the UK by March 14th will mark the next step for regulatory authorities, along with the financial and banking industry, in tackling online fraud and offering better protection for merchants and online shoppers.


EVO Payments UK Trends and Predictions for 2022

Shopping online this Christmas? Follow these approaches to keep your data safe