Fraud prevention: SCA exemptions to optimise the customer experience

Cyber fraud is a growing threat to companies in every sector today, despite the continuous evolution of prevention solutions. According to a survey by Ravelin¹, the merchants involved reported a significant increase in online payment fraud in 2022.

Countries in which a significant amount of reports on the increase of fraudulent attacks in Ecommerce have been recorded include, for example, Canada, Australia, UK and Germany, where 71%, 70% and more than 60% of merchants respectively reported the growth of these activities. In Italy, France and Spain more than 50% of respondents confirmed the occurrence of this phenomenon.

This data confirms how crucial it is to adopt fraud prevention strategies, both to ensure the security of online purchases and to reduce costs and improve the customer shopping experience.

Ecommerce fraud prevention investment areas

The rise of fraud attacks has led to a steady expansion of the global Ecommerce fraud detection and prevention market: a study by ReportLinker recorded a growth in volumes from $33.65 billion in 2021 to $48.41 billion in 2023. Continued growth is expected to exceed USD 100 billion worldwide by 2027.²

A survey conducted in late 2022 by CyberSource³ looked at the main areas of investment in fraud prevention management. The survey shows that the most important areas on which companies plan to focus are:

• Improved fraud analysis
• Accuracy of automated fraud detection
• Improving the performance of chargeback disputes
• Simplifying manual review activities and workflow

The research also identified other key factors on which there is particular sensitivity, among them: optimised data management (33%), better omnichannel fraud management (30%) and an increased focus on cross-border transactions (26%), which are on the rise in all sectors. 

But how are merchants allocating their budget for this type of activity? Ravelin analysed the expected changes in the budget allocated to fraud prevention and found that more than three quarters of respondents said they would like to increase it. ¹

In the UK, for instance, 51% of merchants chose to increase their fraud prevention budget and 11% intend to invest in a significant increase, in particular 20%.

SCA exemptions: what they are and how to manage them

A further contribution to increasing IT security was made by the European PSD2 regulation. The new regulation, however, has also had an impact on Ecommerce shopping carts: its implementation, in fact, has provided for the introduction of Strong Customer Authentication (SCA) and therefore the application of 3DS2 security protocols, effectively adding an extra step at the payment stage, which has led to a drop in the conversion rate.

While it is apparent that PSD2 aims to contribute to the development of a more open and collaborative financial ecosystem, reducing fraud and increasing consumer confidence in online purchases, it is equally clear that the SCA has affected the shopping experience.

In order to address this issue and to maintain high security standards and conversion rates, the EU has, however, specified cases for which exemptions to the SCA can be applied. These transactions are described below:

1. Low value transactions. Transactions under €30, which added together do not exceed €100 or five consecutive single exempt transactions since the last SCA.
2. Transactions considered low-risk between €30 and €500 (Low Risk Based Analysis or RBA). Exemption is possible if the card issuer issuing the payment or the acquirer handling the transaction has, among other conditions, a fraud rate that is equal to or lower than certain normative reference fraud rates (1.6 or 13bps depending on the exemption threshold).
3. Recurring Payments. In the case of subscriptions or recurring transactions with a fixed value and beneficiary, the SCA will only be required for the first transaction (and not for subsequent automatic renewals). If, at some point, the cost of the subscription or recurring transaction changes, the 3DS will be requested again.
4. Whitelisting or Trusted Beneficiaries. Customers will be able to decide according to the way in which the issuer will provide this functionality, to add a company to the list of "Trusted Beneficiaries". If the feature is made available to customers, the SCA will be required for the creation and/or change of the list of trusted beneficiaries or on the first payment to the company in which it can be indicated to whitelist the company. For subsequent payments, authentication will not be required again unless the issuer deems it appropriate in order to protect all parties.

If exemptions to the SCA, then, offer the possibility of reducing the impact of strong authentication on Ecommerce, it must also be considered that it is the optimised management of these transactions that can make the difference in terms of customer experience and conversion rates.

Optimising exemption management: the Transaction Risk Analysis (TRA)

In order to better manage exemptions, there are now tools that leverage these opportunities by further improving payment authorisation rates. What can contribute greatly to increasing authorisation rates, and consequently conversion rates, is the optimal management of transaction risk analysis, also known as Transaction Risk Analysis (TRA).

Risk analysis is carried out by the ACS (Access Control Server), i.e. a security component of the issuer which analyses payment requests and, specifically, deals with:

• Transaction risk detection
• Management of authentication services (e.g. biometric, OTP, etc.)
• Management of exemptions

ACS utilises information such as transaction data, what device the acquirer is using and transaction history - to name a few examples - to perform complex analysis and determine whether a transaction is at high risk of fraud. The goal is to balance transaction security with user experience, while enabling legitimate transactions and blocking suspicious or unauthorised activity.

In order to take advantage of the opportunities offered by PSD2 and SCA, Fabrick has developed Advice, a solution that performs real-time analysis of transactions, maximising the number of exemptions while ensuring high security standards. Basically, Advice analyses payments eligible for exemption (up to €500 in amount) in the pre-authorisation phase and assigns a rating to each one:

• Fraud
  The payment is indicative of fraud
• Suggested 3DS2 protocols
  For security reasons, the SCA should be applied
• Exemption
  The transaction can be processed under exemption

The adoption of Advice results in increased conversions and, when combined with Guaranteed payments, the end-to-end fraud prevention solution based on artificial intelligence algorithms, any unidentified fraud is fully reimbursed.

In summary, the pre- and post-authorisation analysis process built into Fabrick's payment orchestration solution is strategic in terms of security and ensuring the best possible customer experience.