What we have learned so far about SCA and the shift in e-commerce
One of the largest e-commerce shake ups in Europe to date1 started in January 2021, when regulators began enforcing Strong Customer Authentication (SCA) for e-commerce card transactions in the European Economic Area (EEA).
The roll-out has resulted in the accelerated deployment of new SCA technologies that is set to reduce fraud rates and will pave the way for the internet of things and set a firm foundation for digital commerce to thrive.
The regulation sounds simple: it introduces an extra security step for many online purchases to reduce fraud and give shoppers greater peace of mind. In practice, however, ensuring the digital payments ecosystem was ready for the change needed years of planning between regulators, acquirers, issuers and merchants across the 30 countries in the EEA.
Change on a grand scale will always present challenges, but enforcement of SCA took place during an unprecedented time when e-commerce became a necessity for many as the COVID-19 pandemic took hold. During this time, online transactions across 15 European nations were at least 40% higher in December2 compared to a year earlier. All the indicators are that it will not revert to pre-COVID levels as e-commerce adoption accelerates faster than expected.
That raised the stakes for success and lessons have been learned already. Here’s what we know right now:
Regulators are opting to "ramp up" enforcement
A big piece of the puzzle was ensuring merchants, issuers and acquirers had deployed 3D secure (3DS), and ideally an optimised version known as "EMV 3DS". Both are part of a system that sits behind checkout platforms to assess how risky transactions are.z
With just a few weeks to go before enforcement, readiness varied significantly depending on location. In the end, regulators across Europe sought to ensure consumers and merchants weren’t hindered during a volatile period. Instead, many steadily increased the numbers of transactions that fall under the regulations, rather than setting a "cliff edge" deadline. The UK regulator, for example, committed as early as the summer of 2019 to delay enforcement in order to ensure the payments ecosystem was ready for the shift. Then in March 2020, when the pandemic hit, it moved the enforcement date back to September 2021. Due in part to this staged approach, which is reducing potential disruption in Continental Europe, it will help all parts of the UK ecosystem have a smooth experience by September.
There’s more to do on 3DS
Adoption of EMV 3DS has increased quickly, with 99%3 of issuer payment volume now enabled (April 2021), up from 93% in January. Meanwhile, 93% of EU EEA merchants have used some version of 3DS in the past year. Such comprehensive levels of adoption ensures consumers have access to the most efficient methods of payment, such as biometrics, and paves the way for a new wave of technology. However, abandonment rates still vary from market to market as they implement changes and adjust to new models.
Consumer education remains key
Ensuring readiness between merchants, issuers and acquirers is only one piece of the puzzle, and towards the end of 2020 it quickly became clear that ensuring consumers were ready remained a challenge ahead of the busy Christmas and New Year period. Once the deadline passed, purchasers had to pass security checks that fall into two of three categories; something a consumer knows, like a password or code; something they have in their possession, like a phone or card reader; and something they are, like a fingerprint or facial recognition usually entered via a mobile banking app.
The combination of requests varied by issuer. When consumers were enrolled, often they were presented with a new way to authenticate. In some cases, consumers were being asked to use a banking app for the first time and needed greater explanation of how to do so. Where abandonment by consumers spiked, issues were fixed quickly, particularly in locations where issuers had set up dedicated teams to support consumers.
Ensuring consumers are ready and understand the benefits of embracing 3DS will be the most important part of the process as the roll-out continues.
The next wave of payments technology is coming
While it might sound obscure, the roll-out of EMV 3DS has made the day when you can get your fridge to automatically order you more milk move closer. It’s the kind of shift that might have taken years and has instead been rolled out in about 12 months, meaning secure authentication is now enabled on all sorts of different devices.
All this opens up the possibilities of purchasing on a raft of devices designed to make online shopping easier. Take the smart fridge: it knows its location via your IP address. It also has its own device ID, enabling verification. If you run out of milk, the fridge will order it for you. These innovations aren’t just convenient for consumers, they are also, just as importantly, highly secure.
Expect innovations like this with a plethora of new technologies. Connected cars will enable you to purchase fuel on approach to a petrol station using similar principles, as well as other ways of identifying you including your voice, weight and driving patterns. And as the technology is updated and innovation continues, the horizons for what can be achieved will expand. It remains important that issuers, acquirers and merchants continue to educate consumers through the process as more and more transactions fall within the regulations. However, the success to date suggests the SCA regulation is achieving what it was designed to do; reducing fraud, making the process of paying easier, and fuelling innovation across the payments ecosystem.
Stay current with the latest payments insights from Visa Navigate Europe – subscribe today.
All brand names, logos and/or trademarks are the property of their respective owners, are used for identification purposes only, and do not necessarily imply product endorsement or affiliation with Visa.
2 Data based on processed transactions through Visa’s systems, December 2020
3 Visa’s Directory Server data 2021