Whitepaper - Strong Customer Authentication (SCA) and exemptions

Ravelin and the changing payments landscape

Ravelin’s mission is to secure the future of e-commerce by helping merchants and payments providers stay ahead in the battle against fraudsters. Alongside fraud detection there are a number of imminent industry initiatives which warrant careful consideration.

In this short series of guides we will distill the most salient pieces of information for anyone in the industry to build a comprehensive payments and fraud strategy in this new landscape.

What is Strong Customer Authentication?

The Second Payment Services Directive (PSD2) certainly covers a lot of ground, but one important requirement is that:

"strong customer authentication […] should be applied each time a payer […] initiates an electronic payment transaction"

Where Strong Customer Authentication (SCA) is defined as:

"authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others

Prima facie, this means that all payments initiated by European Customers in Europe now need to use Authentication, which in practise for online card payments means 3D Secure - a technology so notoriously poor for conversion that most sophisticated merchants deploy it selectively for only the riskiest of transactions.

ExplanationExampleSomething you can...
KnowledgeSomething only the user knowsPassword, Card CVV2Forget
PossessionSomething only the user hasOne-time code or deviceLose
InherenceSomething the user isFingerprint or retina scanHave chopped off

Exemptions from Strong Customer Authentication

When this requirement was first floated by the European Banking Association (EBA), they got more than they bargained for when the Payments Industry strenuously objected to this regressive and unnecessary stance.

The outcry prompted a concession from the regulators: Exemptions.

Thankfully, there are three* exemptions defined by the European Banking Association (EBA) which are currently relevant to online card payments.

Low Value Transactions

If a transaction is under €30, the Acquirer may seek an exemption from SCA from the Issuer on the grounds that the transaction is of Low Value. On the face of it this seems great news, but there are a few catches within.

First are the caveats given by the EBA in Article 16 of the Regulatory Technical Standards (RTS):

Payment service providers shall be allowed not to apply strong customer authentication, where the payer initiates a remote electronic payment transaction provided that the following conditions are met:

  • (a) the amount of the remote electronic payment transaction does not exceed EUR 30; and
  • (b) the cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed EUR 100; or
  • (c) the number of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed five consecutive individual remote electronic payment transactions.

Crucially, these running counters for cumulative amount and number of previous transactions are held by the Issuer of the payment instrument. This is a major problem as the Merchant has no idea for a given transaction whether or not the transaction will qualify for the Low Value exemption.

The second problem is that Low Value Transactions are not necessarily Low Risk. Fraudsters do not make exclusively high value purchases online, and since other SCA exemptions rely on having low fraud rates across the board neither Merchants nor Acquirers can risk hoping that all transactions under €30 will be fraud free.

Verdict: When the fraud risk and eligibility uncertainty of the Low Value Transaction exemption are combined it looks increasingly unattractive.

Recurring transactions

When a series of recurring transactions of constant value (for example, a Netflix subscription paid on card) is first set up, SCA is required but each subsequent billing attempt is exempt.

Verdict: Given the lack of cardholder in the loop for recurring billing attempts this is a no-brainer as long as the transaction is the same value each time.

There's still fraud risk on recurring transactions so best practise is to enforce SCA on the initial setup

Low Risk Transactions

Transactions that pose a low level of risk may be exempt from Strong Customer Authentication provided the Acquirer's aggregate portfolio fraud rate is below defined thresholds and the Transaction Risk Analysis employed complies with defined factors.

Reference Fraud Rates

For a particular transaction value, the fraud rate of the Acquirer's whole portfolio must be at or below the Reference Fraud Rate:

Exemption Threshold ValueReference Fraud Rate (%) for remote electronic card-based payments
100 EUR0.13%
250 EUR0.06%
500 EUR0.01%
> 500 EURNo exemptions

Risk Analysis Techniques

The Regulatory Technical Standards (RTS) define payments as posing a low level of risk where:

[…] payment service providers as a result of performing a real time risk analysis have not identified any of the following:

  • (i)  abnormal spending or behavioural pattern of the payer;
  • (ii) unusual information about the payer's device/software access;
  • (iii) malware infection in any session of the authentication procedure;
  • (iv) known fraud scenario in the provision of payment services;
  • (v)  abnormal location of the payer;  (vi) high-risk location of the payee.

[…] shall take into account at a minimum, the following risk-based factors:

  • (a) the previous spending patterns of the individual payment service user;
  • (b) the payment transaction history of each of the payment service provider's payment service users;
  • (c) the location of the payer and of the payee at the time of the payment transaction in cases where the access device or the software is provided by the payment service provider;
  • (d) the identification of abnormal payment patterns of the payment service user in relation to the user's payment transaction history.

The assessment made by a payment service provider shall combine all those risk-based factors into a risk scoring for each individual transaction to determine whether a specific payment should be allowed without strong customer authen­tication.

Verdict: The Reference Fraud Rates are very ambitious and the minimum set of analysis criteria extensive, but the Transaction Risk Analysis exemption offers a sensible and achievable method for online businesses to preserve the smooth user experience expected by cardholders whilst remaining compliant with PSD2's bold security objectives

Who triggers exemptions?

PSD2 applies to 'regulated payment service providers' which in online card payments means Issuing and Acquiring Banks. The legislation is clear that whomever requests or triggers an exemption is liable for any resulting fraud.

The most likely party to request an exemption is the Acquiring Bank since they represent the Merchant and it's the Merchants who want to avoid SCA. So, if a SCA-exempted transaction turned out to be fraudulent then the Issuer would pass the cost of that fraud back to the Acquirer.

The EBA have been very clear that the ability to trigger exemptions by Acquirers is tied to the fraud rate of the whole portfolio:

"The fraud rate […] is calculated for all credit transfer transactions and all card payment transactions and cannot be defined per individual payee (e.g. merchant) or per channel (whether app or web interface). The fraud rate that determines whether or not a PSP qualifies for the SCA exemption cannot be calculated for specific merchants only, i.e. where the payer wants to make a payment to a specific merchant and this specific merchant has a fraud risk that is below the threshold."

This means that Acquirers must work hard to attract and retain low risk Merchants in their portfolio so their aggregate fraud rate is below as many of the fraud rate thresholds as possible.

Where do Merchants fit in?

The European Banking Association (EBA) has made it clear that:

"Acquirers may contractually agree to ‘outsource’ transaction risk analysis monitoring to a given Merchant, or allow only certain predefined Merchants to benefit from their exemption eligibility."

Given the new importance to the Acquirer of maintaining a low portfolio fraud rate, this outsourcing agreement will likely be based on a contractually agreed low fraud rate and only available to Merchants able to demonstrate historically low and well managed fraud rates and compliant Transaction Risk Analysis (TRA) techniques.

This outsourcing ability is only available provided the Acquirer's aggregate portfolio fraud rate is below the required threshold; even if the Merchant's transactions are low risk, the exemptions are only valid if the whole portfolio is below the threshold rate.

Why Acquirers will offer TRA Outsourcing

Merchants with large transaction volumes exhibiting historically low and well managed fraud rates will be in increasingly high demand by Acquirers seeking to maintain the low-risk portfolio they'll need to offer SCA exemptions.

These Merchants will have a strategic advantage with their Acquirers in contract and relationship negotiations, a condition of which may well be the ability for the Merchant to employ their own Transaction Risk Analysis.

Acquirers that can technically and contractually offer both SCA exemptions and TRA outsourcing are therefore at a significant advantage in the modern competitive market of European Acquiring.