Frictionless Authentication and SCA
PDS2 is legislation that was introduced by the European Banking Authority, it was introduced to make payments more secure in Europe and to help banks adapt to new technologies in the online payment sector. As a part of this, last year a new set of requirements which consist of an additional security step were further introduced to help improve protective measures whilst keeping the customer experience as smooth as possible.
This set of requirements is also known as Strong Customer Authentication, or SCA. This further layer of security authentication is required for online transactions, meaning customers will have to provide an additional form of identification in addition to their credit or debit card information. While the original deadline for implementing SCA for merchants was the 14th September 2019 the FCA, during April 2020, announced a further delay of enforcement until 14 September 2021 in the UK to help merchants impacted by Covid-19. For merchants based in the rest of the European Economic Area (EEA) and those who process cards issued in the EEA with a European acquirer, the date for full SCA implementation is 31 December 2020.
As part of SCA, a new frictionless process has been introduced to allow customers to benefit from a more seamless payment experience. Through real-time transaction evaluations and only seeking further authentication for a smaller number of payments that appear to be risky, card issuers can prevent friction within the online checkout process.
Through frictionless authentication, it is expected that staggering 95% of all transactions will require no cardholder authentication, which means that only 5% of transactions are considered as higher risk. This can significantly improve the user experience with faster payment times leading to increased conversion rates. Businesses can also benefit from lower losses through stable fraud levels and measures taken to calculate transaction risks.
In order to comply with new SCA requirements, 3D Secure 2 introduces a new Frictionless Flow process as one form of authentication. This allows issuers to approve transactions without needing manual input from the customer.
This process occurs through Risk-Based Authentication or RBA. RBA is the process of determining the risk attached to a certain payment and whether the customer should be additionally challenged with authentication steps. These risk-based elements can include information such as the value of the transaction, customer behavioural history, device information and whether the customer is new or existing.
This is combined with two-factor authentication, which requires users to provide information as an additional security step. This can include information from three key factors:
- Knowledge - Something the customers know such as a PIN or password
- Inherence - Something the customers are, such as a fingerprint, eye scan or voice recognition
- Possession - Something that the customers own or have, such as a mobile phone, card reader or a One-Time Password (OTP)