Can Strong Customer Authentication (SCA) Hurt Your Online Store?
With an eye toward improving the security of online sales, the European Union is implementing new rules for Strong Customer Authentication (SCA) on Dec. 31, 2020.
These rules, designed to help authenticate online payments and reduce fraud will require merchants to include at least two of the following authentication factors in their checkout processes:
- Something a customer knows (like a password or a PIN)
- Something they have (like a mobile device or a token)
- Something they are (like a fingerprint or facial recognition)
However, SCA may not be the end-all, be-all merchants and consumers are hoping for. Here are five ways SCA can end up hurting your online store.
1. The “Knowledge” Factor Is Easily Hackable
Asking a challenge question as a factor of SCA may seem easy enough, but security experts warn this “knowledge” component is typically the most easily compromised. Social media and the internet make it easy to gain information about relative strangers, thanks to consumers’ tendencies to complete online questionnaires and upload photos that divulge personally identifiable information.
All a cybercriminal needs is a little bit of patience and research to quickly crack passwords, PINs and even challenge questions.
2. Biometric Data Is Vulnerable to Fraudsters
While biometrics might seem like a foolproof way to confirm identity — after all, we can’t change our fingerprints or retina the same way we can change our passwords and answers to challenge questions. But that doesn’t mean hackers aren’t creating ways to fool biometric scanners.
In 2015, data thieves stole more than 5 million U.S. federal employees’ fingerprints and other personal data. And a biometric database in India containing 1 billion citizens’ data was hacked, with data sold on social media for as little as $10. And because a biometric is so uniquely identifiable, once it’s compromised, its security can never be reclaimed.
3. Implementing SCA Can Be Complex and Expensive
In May 2019, only 1% of businesses surveyed felt they were prepared for SCA. There’s a good reason: implementation is complex, and full compliance requires a range of product, legal, finance and operations support to ensure changes are implemented properly.
Adding SCA to online stores is turning out to be so complex that 71% of businesses feel implementation will be a significant burden on resources. Many just don’t have the manpower — or the payroll — to devote to implementing seamless solutions that won’t frustrate customers.
4. SCA Adds Friction to the Checkout Process
Not every mobile browser supports the technology required for SCA, and small mobile screens can make it hard to enter complex passwords or complete verification pages. So it’s no surprise that 26% of businesses surveyed haven’t upgraded their authentication processes, because they’re worried about the potential negative impacts to the customer experience.
It’s a valid concern. Approximately 40% of cart abandonments in the U.S. are the result of long or complicated checkout procedures. 3D Secure authentication provides a perfect example; when it was introduced, the friction it added to the checkout process caused merchants to lose up to 22% of transactions.
Moreover, customer perception is a problem, too. When online shoppers are presented with SCA requirements for the first time, they may fear they’re being scammed. For example, redirects to Verified by Visa pages may look like a phishing attack rather a security measure implemented by the merchant.
It’s ironic that security experts have spent the last several years warning customers not to enter sensitive personal data on any web page they’re not familiar with, and now merchants are asking their customers to do just that.
5. Cart Abandonment Is Increasing
Any time friction is added to the checkout process, cart abandonment increases. So when SCA prompts customers to answer personal questions — “Where did you go to high school?” “What was the name of your first pet?” — customers are more likely to abandon their purchase and find another retailer with an easier checkout process.
Or consider what happens when an SCA element requires a customer to retrieve a six-digit PIN sent via text, but the customer doesn’t have their cell phone handy. Or when the customer is logged into a spouse’s account, and the account is tied to the spouse’s phone number. Circumstances like these can result in lost sales, frustrated customers and negative online reviews.
While the perfect solution might not exist to prevent fraudsters from compromising your business and your customers’ accounts, that doesn’t mean it isn’t worth exploring all the available options — especially as regulations like SCA are adopted by markets worldwide.
One way to protect your company’s revenue and reputation is to make sure you have the right fraud prevention solution for your business. Our multilayered approach combines proprietary AI technology with expert manual review. And because we serve companies worldwide, we stay up-to-date on the latest rules and regulations, including SCA, to make sure you’re protected. If you want to learn more about how our unique approach to fraud prevention can protect your business in an ever-changing market, contact us.