Yes, PSD2 advocates Strong Customer Authentication, but what does that really mean for the stakeholders? SCA demands authorization which involves two out of three secure elements, namely: possession, knowledge, and inherence. Regardless of the methods chosen, PSD2 brought another tool to increase security measures as well as improve the end-user experience: Risk-Based Authentication. PSD2 makes it clear that the strength of authentication should correspond to the level of risk for a given transaction.
Having this in mind, PSD2 and corresponding Regulatory Technical Standards on Strong Customer Authentication specified that SCA exemptions can be applied. The prerequisite to apply any of the exempted scenarios is to conduct transaction risk analysis, deeming a transaction either high, medium, or low risk. Such analysis can be as simple as a Low-Value Payment which presumes that transactions below 30 EUR, even in cases of fraud, pose a low risk and low financial impact.
For non-low-value payment transactions, a more sophisticated risk scoring needs to be done on the issuer side. Mentioned risk analysis should consider the usual end-user behavior, their habits, channels and devices they use, common geolocation, known delivery addresses, and more. On the other hand, issuers also need to track relevant merchants, meaning their fraud rate, blacklists, risky currencies, etc. As expected, sophisticated risk analysis requires advanced risk scoring solutions.
The main issuer's concerns are fraud costs and chargeback liability. With 3D Secure 2, acquirers and merchants were granted a liability shift to the issuer side. Therefore, issuing banks favor SCA for apparent reasons. It protects them and the cardholders from a wide range of fraudulent online payment activities.
Since merchants are much more fond of frictionless transactions than issuers, PSD2 and the recent 3D Secure protocol enable merchants and acquirers to communicate their authentication preferences in the 3DS transaction flow. However, this does not mean that the user is not authenticated. Merchants who opt for this approach trust that the buyer can be trusted if they sign in to the merchant's web or mobile shop, i.e. the buyer is authenticated during login to the web or mobile shop. This is not considered Strong Customer Authentication. Still, taking into account transaction amount, common delivery address, type of purchased goods or services, used card data (which is usually stored in the webshop, hopefully following the PCI DSS rules), merchants can be quite sure that the buyer is known and can be trusted. Demanding additional authentication by the issuer usually makes end-users irritated and unsatisfied with the lengthy transaction authentication process.
Additionally, if the issuer approves an SCA transaction based on the merchant exemption, in case of fraud, merchant is the one that takes the liability for chargeback costs.
Different regions, merchants, and goods and services result in different buyer preferences when it comes to SCA or SCA exemption. The best option is to let the buyers decide for themselves. With the introduction of Merchant Whitelist in 3D Secure 2.1, which is additionally enhanced in 3D Secure 2.2, buyers are able to choose trusted merchants in order to avoid SCA. Prior, issuing bank analyzed eligible merchants and listed them to be included in the SCA exemption. Contrary to Merchant exemption preference, liability shift for fraud costs and chargebacks is moved to the issuer side. To minimize this risk, Merchant Whitelist eligible candidates also need to be assessed from the risk perspective, using advanced risk scoring solutions regarding the merchant fraud rate.
Biometry is the most applicable, most user-friendly, and the most secure authentication method when talking about 3D Secure authentication in online payments. This is recognized by card schemes, as MC and VISA introduced KPIs for issuers to measure biometry authentication rates. As Juniper research states, already in 2019, facial recognition software was deployed on around 96 million mobiles, forecasting that biometric facial recognition will be present in 90% of smartphones by 2024, making biometric authentication widely applicable. Implementation of biometry solves Dynamic linking as required by PSD2. In the end, applying biometrics is extremely fast and straightforward when combined with push notification during online payment authentication.