January 25, 2022
Try LoginID’s Strong Customer Authentication Solution for Free or contact us to learn how we can help your organization at: firstname.lastname@example.org.
A lot has been said about how the key to strong customer authentication (SCA) is in the specifics — what to exempt, the iteration of 3D Secure.
But one piece of the puzzle, one crucial to creating a smooth customer experience cannot be ignored: the significance of delegated authentication.
To put it simply, the only way for an online merchant to maintain total control of their customer experience under PSD2’s strong customer authentication requirements is to run their ecommerce site with delegated authentication.
Strong Customer Authentication in Three Steps
Let’s take a step back for some perspective. Strong customer authentication is a key element of the new online transaction regulation PSD2 (payment security directive 2). It’s already in effect in most of the EU and the UK.
PSD2’s regulations are relatively simple: Strong customer authentication requires that a consumer’s identity be authenticated by at least 2 out of 3 methods:
● Something the user knows (ex. a passcode)
● Something the user owns (ex. laptop or phone)
● Something the user is (ex. a biometric such as face id or a fingerprint)
But how is strong customer authentication accomplished exactly?
The authentication process is typically undertaken by the cardholder’s bank, unless the merchant steps in. This means the process, for an online retailer, will look like: a customer shops at the merchant’s website, decides to purchase something, adds a product to a cart, clicks ‘buy’, and is redirected to a bank’s site or app.
The bank’s site has none of the merchant’s branding and the authentication process may or may not be intuitive. The customer may abandon the transaction because they find the authentication process invasive and wonder who exactly they are giving their personal information to.
One can think of bank-initiative authentication as adding an additional step in the consumer’s checkout process, leading to friction that may result in the customer abandoning the cart. When merchants maintain strong customer authentication themselves, called ‘Delegated Authentication’, customers no longer need to be routed to issuers’ domains, providing online retailers more control over the customer experience and saving banks the hassle of authentication.
Online Retailers Lose Sales Without Delegated Authentication
Rerouting between sites during the checkout process is a primary cause of the sharp increase in cart abandonment across the EU as strong customer authentication regulations have gone into effect.
CMSPI, a payment consultant group, found that as a result of the strong customer authentication rollout the transaction failure rate in Europe in June was 25%. On the high end, In Belgium, transactions were abandoned at a rate of 38%. CMSPI estimates that if these transaction failure rates persist, EU retailers could miss out on over €76 billion in sales this year.
It’s clear that this fragmented customer experience is discouraging customers, but that’s not even the worst part. Without Delegated Authentication, the customer’s checkout experience can widely vary depending on who their card issuer is. This means that, on the same merchant site, a cardholder with a bank that has invested in an intuitive authentication process could have a far better checkout experience than a customer whose bank did not.
Another important aspect to consider is consumers who use multiple credit cards. The disparity between one online shopping excursion and another could be stark depending on which card the customer checks out with.
How about, what happens when there’s an issue?— which we all know is common when it comes to ecommerce. Does the consumer contact their bank or the online retailer? Does the bank inform the merchant when an issue occurs on their end? Is the bank aware if the merchant is at fault? Are all of these issues and resolutions unclear in the mind of the consumer?
Finally, consider the potential impact to the merchant. An online retailer could easily lose a customer forever due to the fact that the consumer’s bank did not properly prepare for the new strong customer authentication regulations and instead provided a confusing SCA process.
Merchants can Benefit from Delegated Authentication with the Help of Third-Parties
It's evident that delegated authentication is critical to the success of online merchants going forward in the PSD2 regulatory environment. Unfortunately for merchants, taking control of SCA is not completely in their power. The consumer’s bank takes on the liability when it comes to authenticated orders that turn out to be fraudulent and thus banks have an inherent interest in controlling the process.
Banks will only engage in delegated authentication with a merchant that has proven that they have ample fraud prevention measures in place. Yet another reason why strong fraud prevention is more important than ever in the strong customer authentication era.
Fortunately, Visa and Mastercard have taken significant steps in the process of removing additional barriers to merchants attempting to enact delegated authentication. In the beginning, an online retailer had to connect with each issuer it wanted to be able to transact with on their site. They would need to seek individual approval from every bank in order to be able to authenticate consumers with their respective cards.
Credit card companies, however, have taken the lead to act as a clearinghouse between banks and online retailers. Banks have also indicated a readiness to allow the assurance of trusted 3rd parties — for example, a well regarded fraud prevention provider — as enough to delegate authentication to a merchant.
In general, in order to qualify for delegated authentication, merchants need to perform strong customer authentication and maintain fraud levels below a reasonable threshold. The difficulty, especially for small merchants, will be working directly with all the issuers. Smaller merchants will need help managing their interactions with all these issuers and a third-party like Visa or another company can step in to handle the delegated authentication for them.
One such company, which Visa made a strategic investment in, LoginID, offers FIDO/FIDO2 certified strong customer authentication services such as passwordless authentication and transaction confirmation with digital signature.
By integrating with LoginID’s digital signature API merchant’s can implement a powerful fraud prevention tool into their checkout process. LoginID’s strong customer authentication platform is a smart step in the direction of delegated authentication.