New SCA Rules: Why They Aren’t a Magic Bullet Against Card Fraud
by Steve Durney
The European Union’s new Strong Cardholder Authentication (SCA) rules, part of the second Payment Service Directive (PSD2), may seem like robust protection for online merchants and issuers against fraud. After all, the SCA regulations require—starting September 14, 2019—enhanced multifactor authentication (MFA) of cardholders, such as 3D Secure 2.0 (3DS 2.0), during the online checkout process.
But as we’ve seen with many other anti-card fraud measures in recent decades, while such regulations do provide some level of relief, they’re no magic bullet. As experience has shown, fraudsters move quickly to find loopholes and capitalize on them.
In other words, fraud doesn’t disappear—it just shifts.
A Host of Exceptions
One reason the new SCA regulations may not be the panacea against card fraud they seem is that the rules will exempt many types of transactions from requiring SCA. This is necessary in order to balance security and customer experience. Certainly, every monthly charge for one’s streaming video subscription doesn’t need to be validated with MFA. These exceptions include:
- Transactions valued at less than 30 euros
- Transactions made via mail or phone
- Transactions for subscriptions or recurring payments (e.g. movie streaming services)
- Transactions by merchants proactively “whitelisted” by cardholders
- Transactions by merchants based outside the EU/UK
Scammers are sure to learn these exceptions and take advantage of them. For example, we expect to see many more fraudulent charges valued under 30 euros and fraudsters targeting merchants who are regularly whitelisted or offer subscriptions.
Fraud Will Only Get “Friendlier”
Beyond all these potential loopholes, the new SCA regulations don’t address a growing problem for issuers and online merchants: friendly fraud. More cardholders are disputing legitimate transactions after the fact because they don’t recognize them (possibly because another household member made them) or have buyer’s remorse. SCA clearly won’t solve that dilemma. Although it’s easier for the issuer to push back on a customer if a transaction was validated through multifactor authentication like 3DS 2.0, friendly fraudsters will simply find other excuses for disputing the transaction.
The Multipronged Solution
While SCA should help reduce card fraud, it certainly won’t be a catch-all. Fraudsters will adapt as they always do. So, what must merchants and issuers do to reduce card fraud and unwarranted chargebacks once SCA takes effect? Unfortunately, there’s no ultimate solution. So, they must rely on other tools to help them thwart fraudsters while also reducing the growing tide of friendly fraud.
Collaboration and the sharing of data (in a GDPR-compliant manner) between merchants and issuers will continue to be an effective and proven solution. The good news? These tools are available today.