Strong Customer Authentication in the United States: When, Not If
The Situation: Although the deadline keeps getting extended, e-commerce merchants and payment processors across the European Union are racing to implement the strong customer authentication ("SCA") requirements of the Revised Payment Services Directive. Other countries increasingly are following suit with their own versions of SCA. U.S.-based e-commerce merchants are unaffected—for now.
The Result: Although adoption of SCA will reduce card fraud and chargeback liability, SCA likely will add "friction" to the customer experience, which could lead to "cart abandonment" by shoppers frustrated with the checkout process. As a result, e-commerce merchants, processors, and banks are struggling to fully implement SCA, although like EMV payment adoption, SCA adoption is inevitable.
Looking Ahead: As more of the global-payment community adopts SCA, we expect SCA initiatives to sprout in the United States, if not at the federal level, then at the state. U.S. e-commerce merchants and processors should begin adapting their capabilities to incorporate SCA and take advantage of any transaction-based exemptive relief from SCA. Importantly, this may require taking a fresh look at existing payment processor agreements, to ensure merchants can maximize the availability of exemptive relief (or cost-effectively switch processors to one who can).
We've already explained how we got here. Once fully implemented, merchants, acquirers, and issuers will have to use SCA for e-commerce card payments in the European market. SCA requires at least two of the following independent authentication factors:
- Possession: Something only the customer owns (like a payment card, mobile phone, or "device-bound" web browser)
- Knowledge: Something only the customer knows (like a password, PIN, or knowledge-based challenge questions)
- Inherence: Something the customer inherently is (like a fingerprint or other biometric impression)
The merchant must collect and provide the issuer with these factors to the issuer's satisfaction; otherwise, the issuer will decline the transaction.
Friction for Merchants
SCA's purpose is to reduce fraudulent transactions. But any additional steps in the checkout process amount to friction, which leads to reduced conversion—online shopping cart abandonment. Many e-commerce merchants already employ authentication for their own user accounts, so requiring customers to authenticate again, at checkout, is problematic. Any savings from decreased fraud might be offset by lower conversion rates.
Built-in Regulatory Relief?
In recognition of potential friction, the SCA standards provide for several exemptions that relieve merchants of their obligations to obtain SCA. In theory, the exemptions will minimize friction by limiting the number of times SCA is required, but in practice, the exemptions' effects may be modest. For example:
- Low-value transactions. A merchant may skip SCA for low-value (less than €30) transactions, subject to certain limitations. However, the only way for a merchant to know whether this exemption will apply is to check with the issuer, a process not significantly less onerous than SCA itself.
- Low-risk transactions. An acquirer may request an issuer to waive SCA for the acquirer's merchants' transactions, based on the acquirer's aggregate fraud rate for all of its merchants. But merchants would necessarily have little influence over whether this relief is available and effectively would be at the mercy of their acquirer (and its other merchants).
- Whitelisted merchants. Issuers may allow their cardholders to whitelist preferred merchants, so that after the initial SCA, further SCA is unnecessary unless the cardholder removes the merchant from the whitelist. However, issuers are not required to offer this feature, so merchants have no influence over whether this relief is available either.
Exemptions come with their own risks, too. The merchant will be responsible for any fraud-related chargebacks on transactions not employing SCA; obtaining an exemption operates as a forfeit of any fraud liability-shift to the issuer.
SCA in the USA?
Importantly, for U.S.-based e-commerce merchants, "one-leg-out" transactions (where only one party is based in the European Union) are not subject to SCA. So U.S.-based merchants selling to EU customers are exempt—for now.
But we think that will change. For one, the European Union's efforts have already spread to other countries. Already, Australia, Turkey, and Mexico have adopted, or are actively considering, SCA regimes. And should a country subject one-leg-out transactions to SCA standards, it could ensnare U.S. merchants too.
Second, even in the United States, voluntary compliance by the card brands is already underway, for example with the adoption of EMVCo's SCA-compliant 3-D Secure 2.0 standard ("3DS2") for mobile app-based e-commerce. The incoming administration's Consumer Financial Protection Bureau might well take on SCA as part of a broader consumer protection regulatory focus. And change need not come from the federal government. GDPR is a good example: California, with its California Consumer Privacy Act, is leading the charge to harmonize the European Union's GDPR and U.S. data privacy law. A state-based corporate social responsibility regime is hardly a stretch.
If SCA is an inevitability in the United States, then merchants and payment processors should start preparing. The 3DS2 standard, with its built-in SCA compliance, is an obvious starting point, and it can provide a relatively low-friction solution; e-commerce merchants should begin working with their processors to ensure availability of 3DS2 on their platforms.
More fundamentally, though, merchants should begin assessing their customer payment profiles (especially merchants whose transactions would qualify as low-value) and evaluate the card fraud profile of their payment processors (since a payment processor with a low fraud profile can exempt all of its merchants from SCA for entire categories of transactions). It will be interesting to see how U.S.-based processors handle the low-risk transactions exemption on behalf of their merchant clients. We expect that larger e-commerce merchants with negotiating leverage with regard to their processors will be the first to bargain for contractual concessions from processors that protect the availability of any low-risk transactions exemption.
Four Key Takeaways
- SCA requirements are imminent for EU-based merchants, processors, acquirers, and issuers, and they are likely to become the norm across the globe.
- Merchants face a tradeoff between reduced fraud rates and friction caused by SCA that result in cart abandonment. Relying on transaction-based exemptions from SCA requirements to avoid friction carries its own risks, as liability for non-SCA transactions remains with the merchant.
- U.S.-based merchants should start preparing their e-commerce platforms for SCA, as we view it likely that there will be some implementation of SCA at the federal or state level.
- Any preparation should include an analysis of both the technical requirements to add SCA solutions (like 3DS2) to the merchant's e-commerce platform as well as an analysis of the fraud profile and contractual obligations of the merchant's payment processor. We expect to see new contractual provisions in processing agreements dealing with transaction-based exemptions from SCA.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.