We've already explained how we got here. Once fully implemented, merchants, acquirers, and issuers will have to use SCA for e-commerce card payments in the European market. SCA requires at least two of the following independent authentication factors:
- Possession: Something only the customer owns (like a payment card, mobile phone, or "device-bound" web browser)
- Knowledge: Something only the customer knows (like a password, PIN, or knowledge-based challenge questions)
- Inherence: Something the customer inherently is (like a fingerprint or other biometric impression)
The merchant must collect and provide the issuer with these factors to the issuer's satisfaction; otherwise, the issuer will decline the transaction.
Friction for Merchants
SCA's purpose is to reduce fraudulent transactions. But any additional steps in the checkout process amount to friction, which leads to reduced conversion—online shopping cart abandonment. Many e-commerce merchants already employ authentication for their own user accounts, so requiring customers to authenticate again, at checkout, is problematic. Any savings from decreased fraud might be offset by lower conversion rates.
Built-in Regulatory Relief?
In recognition of potential friction, the SCA standards provide for several exemptions that relieve merchants of their obligations to obtain SCA. In theory, the exemptions will minimize friction by limiting the number of times SCA is required, but in practice, the exemptions' effects may be modest. For example:
- Low-value transactions. A merchant may skip SCA for low-value (less than €30) transactions, subject to certain limitations. However, the only way for a merchant to know whether this exemption will apply is to check with the issuer, a process not significantly less onerous than SCA itself.
- Low-risk transactions. An acquirer may request an issuer to waive SCA for the acquirer's merchants' transactions, based on the acquirer's aggregate fraud rate for all of its merchants. But merchants would necessarily have little influence over whether this relief is available and effectively would be at the mercy of their acquirer (and its other merchants).
- Whitelisted merchants. Issuers may allow their cardholders to whitelist preferred merchants, so that after the initial SCA, further SCA is unnecessary unless the cardholder removes the merchant from the whitelist. However, issuers are not required to offer this feature, so merchants have no influence over whether this relief is available either.
Exemptions come with their own risks, too. The merchant will be responsible for any fraud-related chargebacks on transactions not employing SCA; obtaining an exemption operates as a forfeit of any fraud liability-shift to the issuer.
SCA in the USA?
Importantly, for U.S.-based e-commerce merchants, "one-leg-out" transactions (where only one party is based in the European Union) are not subject to SCA. So U.S.-based merchants selling to EU customers are exempt—for now.
But we think that will change. For one, the European Union's efforts have already spread to other countries. Already, Australia, Turkey, and Mexico have adopted, or are actively considering, SCA regimes. And should a country subject one-leg-out transactions to SCA standards, it could ensnare U.S. merchants too.
Second, even in the United States, voluntary compliance by the card brands is already underway, for example with the adoption of EMVCo's SCA-compliant 3-D Secure 2.0 standard ("3DS2") for mobile app-based e-commerce. The incoming administration's Consumer Financial Protection Bureau might well take on SCA as part of a broader consumer protection regulatory focus. And change need not come from the federal government. GDPR is a good example: California, with its California Consumer Privacy Act, is leading the charge to harmonize the European Union's GDPR and U.S. data privacy law. A state-based corporate social responsibility regime is hardly a stretch.
If SCA is an inevitability in the United States, then merchants and payment processors should start preparing. The 3DS2 standard, with its built-in SCA compliance, is an obvious starting point, and it can provide a relatively low-friction solution; e-commerce merchants should begin working with their processors to ensure availability of 3DS2 on their platforms.
More fundamentally, though, merchants should begin assessing their customer payment profiles (especially merchants whose transactions would qualify as low-value) and evaluate the card fraud profile of their payment processors (since a payment processor with a low fraud profile can exempt all of its merchants from SCA for entire categories of transactions). It will be interesting to see how U.S.-based processors handle the low-risk transactions exemption on behalf of their merchant clients. We expect that larger e-commerce merchants with negotiating leverage with regard to their processors will be the first to bargain for contractual concessions from processors that protect the availability of any low-risk transactions exemption.