Connect with us

Business

SCA EXEMPTIONS ARE A MERCHANT’S BEST FRIEND, BUT THEY DON’T COME WITHOUT COMPLICATIONS

Published

on

Shagun Varshney, Product Manager at Signifyd

 

When it comes to online commerce, much of Europe is living in a new payment regulation era — and the UK will soon follow.

It’s an era of two-factor authentication, exemptions, step-ups, transaction legs that are either in or out — and a more secure ecommerce shopping experience for consumers. Polling and industry anecdotes indicate that for many, SCA, which stands for Strong Customer Authentication, might as well mean Something Causing Anxiety. Merchants and consumers know something is changing, but exactly what, for whom and when, well, that’s a little unclear.

But there are ways that UK merchants and brands can embrace SCA by 14 September, the date on which the regulation will be fully enforced.

A quick refresher: SCA is required under the sweeping digital payment regulation known as PSD2. It is already being enforced through much of Europe. It is meant to better secure online checkout by requiring that shoppers be authenticated by two of three methods: something the user knows (such as a one-time passcode), something the user has (such as a mobile device) and something the user is (such as a fingerprint, facial recognition, typing behaviour).

The key to getting SCA right is to conduct the required two-factor identification without adding inconvenience to the checkout process. And that starts with understanding the exemptions and exclusions contained in the requirement and how those elements best apply to your particular business. Wisely deploying exemptions will allow a significant percentage of transactions to be exempted from the regulation — under the right conditions.

As you’ve probably guessed, establishing those conditions has become more important than ever. It’s also important to note that while exemptions and exclusions, which we’ll get to shortly, benefit merchants and their customers, control over whether they are available to a merchant is largely in the hands of a merchant’s payment service provider or a cardholder’s issuing bank.

 

In general exemptions — and their close cousins, exclusions — are available when an order meets certain conditions:

  • The order is low risk and low value.
  • The merchant and its bank have maintained a low fraud rate and the transaction meets certain value limits.
  • The transaction is considered “out of scope.” The list for these exclusions includes phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the European Economic Area — or “one leg out transactions.

 

One other exemption is available, but a consumer’s bank must agree to allow it in order for it to be applied. It’s called the “Trusted Beneficiary” exemption. It can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption.

Similar to exemptions, “out of scope” transactions can also be processed without SCA. In some instances SCA simply does not apply. Think phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the European Economic Area (this is where the “one leg out” phase is used). In the case of a merchant-initiated transaction, a subscription for instance, SCA needs to be performed only once to authenticate the buyer.

Visa, among others, has provided a specific list of exemptions and exclusions.

It becomes evident, scouring the Visa list, that while helpful, exemptions are also limited. Consider low-value transactions for instance. It’s great that transactions below  €30 can bypass SCA. But what if you sell jewellery, luxury watches, electronics, high fashion, home goods, sporting goods, groceries, auto parts or sell in any of the nearly limitless verticals that offer products or groups of products upon which consumers typically spend more than €30 on?

Oh and there is a catch: Even low value transactions need to undergo SCA periodically — every five transactions under €30 must undergo SCA, as must an order once the cumulative value of low-value transaction reaches €100.

Or consider allow-listing. First off, a consumer needs to be aware there is such a thing. A merchant might add a notice at checkout suggesting, “If you like shopping with us, ask your issuing bank to allow-list our store.” All of which leaves a consumer saying, “Ask my what to do what now?”

And even if consumer consciousness-raising is a success, think about the bank that issued the consumer’s credit card. By agreeing to allow-list a merchant, the bank takes on liability for any fraudulent orders. So in one stroke, the bank allows the order to bypass increased scrutiny and agrees to be on the hook for orders that are not legitimate. That’s not a lot of incentive, to put it mildly.

None of which is to say that exemptions should be ignored. Exemptions are a powerful way to provide a seamless experience for customers. When an exemption is approved, the customer doesn’t have to worry about the transaction being stepped up by requiring two of the three SCA authentication methods. And so, retailers want to be in a position to take advantage of exemptions.

One thing that quickly becomes obvious when planning a robust exemption and exclusion strategy is that the starting point for taking advantage of SCA exemptions is to ensure that your enterprise is a solid citizen when it comes to preventing fraudulent sales. Take the most obvious case: In order to take full advantage of the low-risk transaction exemption, a merchant needs to keep its fraud rate below an exceedingly low .01%. That clears the way for purchases under €500. Exemptions for purchases under €250 and under €100 are also available for merchants with fraud rates of .06% and .13% respectively.

It’s important, then, to include a powerful fraud protection solution in your overall SCA strategy. A low fraud rate is vital to securing exemptions and exemptions are vital to producing a top-flight customer experience.

Embracing a modern machine-learning fraud solution that sifts fraudulent from legitimate orders in an instant while seamlessly scaling does far more for a merchant than simply ensuring it can use exemptions. Yes, doing away with SCA is one of the best things about exemptions, but it is also one of the worst things about exemptions. Sure, an exemption eliminates the potential friction added to the buying journey by two-factor authentication, but an exemption also sidelines the extra protection that step-ups provide an online seller.

A constantly learning automated fraud solution with a financial guarantee provides the protection needed to ensure good orders are shipped and fraudulent orders are declined.

Merchants and brands will want to be able to confidently pursue an aggressive exemption strategy without worrying about new vulnerabilities that fraud rings will look to exploit. Consider the irony of working so hard to maintain a low fraud rate in order to take advantage of exemptions, only to have those exemptions ultimately lead to a higher fraud rate.

As with many things in commerce, it’s best to take a holistic view when you’re considering how SCA and its exemptions fit into your entire risk management plan.

 

Business

Dissecting the expansion of online checkouts

Published

on

By

Daniel Kornitzer, Chief Business Development Officer

 

Card payments have long existed as the preferred payment method for online consumers. But in recent years we have begun to see a rise in the use of alternative payment methods. Although card payments continue to serve the majority, it is becoming increasingly clear that consumer preference is diverging rather than reaching a consensus. Across the globe local preferences have developed as eCommerce has grown, and across the global digital payments landscape card payments are being passed over for new ways to pay.

Alternative payment methods are on the rise as they address several of the hurdles which have prevented cards from achieving total rule over consumer preference for online payments. Here are four key reasons for this:

  1. Alternative methods offer a superior consumer experience, particularly when it comes to mCommerce. With the rise of new regulations such as Strong Customer Authentication and developments in Open Banking, alternative payment methods can be faster and easier to use for consumers.
  2. New payments methods such as crypto are growing in popularity thanks to a more attractive offering to consumers such as lower cross border payment fees.
  3. With the digitalisation of services forcing many customers to pay online for the first time and many experienced online shoppers looking for more secure ways to pay, the security of financial data is a major concern. Alternative payment methods can protect customer details by removing the need to share bank details at the checkout.
  4. Not all consumers have bank accounts or a debit card. By offering alternative payment methods businesses are enabling these customers to join the digital economy.

Daniel Kornitzer

Businesses have been watching these trends closely and are constantly looking to improve their checkout experience for consumers accordingly.

 

The impact of COVID-19 on online payments

The need for businesses to expand their online checkout to meet changing consumer expectations is not a new trend. However, it has certainly been accelerated by COVID-19. The majority of businesses agree the pandemic has shifted consumer payment preferences, with alternative payment methods gaining in popularity.

Research shows businesses have seen more alternative methods chosen at their online checkouts with a greater percentage of consumers choosing digital wallets (57%), mobile wallets (39%) and eCash (28%). This has caused businesses to reconsider the way they understand payments, looking beyond traditionally methods to newer consumer friendly alternatives. With this is mind, reports suggest more than 60% of businesses are now making improving their checkout a top priority to fulfil the new high standard of consumer expectations.

 

Businesses are actively expanding their online checkouts

If we compare data from 2020 to 2021 on the payment methods offered or planned to be offered by businesses in the next one to two years, the trend is clear.

The number of businesses not offering or not intending to offer alternative payment methods is falling, as more and more start to recognise the importance of offering choice at the checkout. In the last year alone the increase in the adoption of alternative payment methods has risen dramatically, particularly crypto and eCash. As businesses begin to understand the urgency of upgrading the checkout experience, it is clear that alternative payment methods will play a key role in making this a reality.

 

Establishing crypto as a key player

One of the most interesting areas of payments which businesses should be watching is crypto. Research shows businesses are already backing this trend with almost half considering adding crypto as an alternative payment method as an immediate priority, believing it will help them reach new markets, and more than 50% already have confidence in crypto as the future of payments.

 

Diversifying the checkout as a form of defence

As well as offering a better customer experience and reaching new markets, businesses are expanding their checkouts with alternative payment methods to combat other familiar problems.

Most businesses see their current levels of cart abandonment as an issue, with research showing almost half have experienced an increase in levels of abandonment at the checkout in 2021.  Businesses consider two of the most significant causes of this to be card declines and absence of the customers’ preferred payment method. Offering alternative payment methods is an effective way of tackling these problems at the checkout.

The rise of fraudulent transactions is also becoming a more pressing concern for businesses, with the number of fraudulent transactions increasing since the start of the pandemic. Diversifying the checkout with alternative payment methods can be used as a valuable strategy to lower fraudulent transactions.

 

Looking to the year ahead

2022 looks set to be another year where we will see businesses continue to adopt new payment methods at their online checkout in a bid to keep up with consumer expectations.

By working with a leading payments partner, businesses can benefit from access to a range of payment methods through a single API integration, allowing ambitious plans to become a reality in the year ahead.

All data from this article is taken from our recent research report Lost in Transaction: Finding competitive advantage at the checkout.

 

Continue Reading

Business

How bug bounty programs can help financial institutions be more secure

Published

on

By

Rodolphe Harand, Managing Director at YesWeHack

 

Financial services have been one of the most heavily targeted industries by cybercriminals for several years. One alarming stat from the Boston Consulting Group found these firms to be 300x as likely as other companies to be targeted by cyberattacks.

Furthermore, the pandemic has led to a significant increase in the number of cyberattacks targeting financial institutions (FIs), with around 74% experiencing a spike in threats linked to COVID-19.

With FIs holding some of the largest collections of sensitive and private data, it’s clear they will remain an attractive target for malicious actors, especially as any data stolen can be used for fraudulent activities. This leads to the reputational damage of the financial entity that was compromised and has a knock-on effect in terms of monetary and reputational damage to affected customers.

For CISOs at FIs, the conundrum faced is how do you protect intellectual and customer data, and ensure accountability and transparency for clients and stakeholders, at a time when the pandemic has created budget constraints. Research from BAE Systems found that last year alone, IT security, cybercrime as well as fraud and risk departments had their budgets cut by a third.

Below we look at how bug bounty programs can help to address these pressing issues.

 

Protecting valuable data

Protecting customer and intellectual data has always been a top priority for FIs. However, as opportunistic cybercriminals have a lot to gain by stealing this valuable data, there is a constant evolution of threats, which means FIs must stay on their toes. By deploying a bug bounty program, FIs can work with ethical hackers that have a wealth of experience and unique skills when it comes to identifying security weaknesses within a FI’s defence, thus helping to implement effective security measures to help prevent data breaches.

Building trust among various stakeholders such as customers, suppliers and investors is critical for achieving business goals. By deploying a bug bounty program, FIs send out a message that they care about protecting the security of the data of those they work with – which in turn can have a cascading effect resulting in better business performance.

 

Improving accountability  

For FIs to win customers and keep them happy, amidst the growing threat of neo banks and customer-centric fintech organisations, speed of innovation is crucial. As such, many FIs have adopted an agile approach to build, test, and release software faster to bring online and mobile banking solutions to market quicker. However, this can create frictions between development and security teams. Security mandates are deemed to be unnecessarily intrusive and a cause of delayed application development and deployment.

Yet, with DevOps teams needing to build and deploy applications faster than ever before, an epidemic of insecure applications has emerged. According to Osterman Research, 81% of developers admit to knowingly releasing vulnerable applications, while research from WhiteSource found 73% of developers are forced to cut corners and sacrifice security over speed.

With developers often not having the time, tools, skills, or motivation to write impeccably secure code, there is an evident need to provide developers with more support when it comes to building applications securely Fortunately, bug bounty programs can provide a “fact-based” financial implication of inherent security flaws within the process. This makes it possible to hold development teams and service providers accountable for creating or delivering insecure products, thus addressing inherent security gaps within the business units and helping to drive continuous improvement.

Moreover, security awareness and education of developments teams can be improved significantly for those developers that are directly involved with the management of vulnerability reports for their bug bounty programs. This is because, the mere fact of exchanging information with ethical hackers, or assimilating the thinking of a potential hacker and having proof of concepts of vulnerability exploitation on their application components, naturally accelerates consideration of security early in the development stage and provides ongoing learning.

 

Get more return on your investment

According to Gartner, 30% of CISOs effectiveness will be directly measured on their ability to create value for the business. When security budgets are challenged, CISOs need to demonstrate business value through initiatives designed to enhance efficiency whilst stretching the dollar.

This is where bug bounties can help tremendously. Compared to conventional penetration testing, bug bounty offers a fast, complete, and measurable return on your security investment, with businesses only paying out for successful discovery of vulnerabilities. Equally, businesses get access to hundreds of ethical hackers that can test their programs, each with their own unique skillsets as opposed to only one skilled researcher testing the network. This results-driven model ensures you pay for the vulnerabilities that pose a threat to your organisation and not for the time or effort it took to find them.

Bug bounty programs also deliver rapid vulnerability discovery across multiple attack surfaces. With this approach, organisations receive prioritised vulnerabilities and real-time remediation advice throughout the process to accelerate the discovery of, and solution to vulnerabilities.

Another appeal of bug bounties is that due to the continuous nature of testing, more vulnerabilities are found over time as opposed to pen-testing. This is key to financial institutions that require agility to keep up with the continuous roll-out and updates of applications.

 

The cornerstone to a successful security programme

The risk posed to financial institutions by cyber threats will only continue, as evidenced by the number of data breaches seen in recent times. The COVID-19 pandemic has only exacerbated these risks, especially with almost all FIs having needed to shift to a remote working environment – which has only widened the attack landscape.

For FIs, a bug bounty program should be considered a fundamental cornerstone of any security strategy, with it being a modern-day cybersecurity solution that is well-equipped to tackle the immediate security challenges they face. In doing so, FIs will not only prove to customers and stakeholders their commitment to data protection and security but this will also be help them to avoid the monetary damages that could be imposed by regulators if a breach was to take place.

 

Continue Reading

Magazine

Trending

Technology2 days ago

AI-Powered Fraud Prevention for Digital Transactions

By Martin Rehak, CEO of Resistant AI Fraud is on the rise, thanks to the rapid escalation of digital channels...

Top 103 days ago

The future of retail trading

Joe Jowett, CEO of StrikeX   The 2020s look set to be the decade of the retail trader. As the...

Business3 days ago

Dissecting the expansion of online checkouts

Daniel Kornitzer, Chief Business Development Officer   Card payments have long existed as the preferred payment method for online consumers....

Business3 days ago

How bug bounty programs can help financial institutions be more secure

Rodolphe Harand, Managing Director at YesWeHack   Financial services have been one of the most heavily targeted industries by cybercriminals...

Business3 days ago

Resolving the unintended friction of Web 3.0

Marten Nelson, CEO, M10 Networks   Media is buzzing about Web 3.0 and the metaverse. Companies and investors are scrambling to get...

Wealth Management3 days ago

Predictions for Alternative Data in 2022

Neil Chapman, CEO of Exabel   2021 saw various firsts for alternative data. The $1.6bn flotation of SimilarWeb evidenced the...

News3 days ago

Why Zero Trust and securing the supply chain is key to post-pandemic recovery

Jim Hietala, Vice President, Business Development and Security at The Open Group   Banking and finance have grown to provide...

Finance3 days ago

Five predictions set impact the finance teams in 2022

By Rob Israch, GM Europe at Tipalti   The CFO now has a very different set of responsibilities in comparison...

Finance3 days ago

Three ways to reduce uncertainty in financial services marketing

By Patrick Costello, Senior Product Strategy Director, Optimizely    According to Bain & Company, uncertainty is one of the key factors affecting marketing...

Banking3 days ago

Bringing Automation to Banking

Ron Benegbi, Founder & CEO, Uplinq Financial Technologies   Automation is everywhere you look these days; from supermarkets to warehouses...

Finance3 days ago

Why financial services is stepping into a new era

by James Mingard, Head of Retail & Finance at Maintel   When comparing industries, financial services has arguably fallen behind when...

Business4 days ago

FINANCIAL MARKETS IN 2022: INFLATION, ENERGY PRICES, AND THE CONTRASTING PERFORMANCE OF STOCKS

Bob Jenkins, Head of Research, Refinitiv Lipper   Anyone hoping for a reprieve from the chaos and uncertainty of the...

Business6 days ago

FINTECH TRENDS TO LOOK OUT FOR IN 2022 WHICH WILL CHANGE THE WAY WE DEAL WITH FINANCE!

Embedded Finance is estimated to be a $3.6 trillion market opportunity (Matt Harris, Bain Capital Ventures) Embedded Finance means it’s...

Business6 days ago

THE GREEN REVOLUTION IN INVESTING

It can’t be denied how quickly environmental sustainability has become a focus among everyday consumers, whether they’ve become noticeable through...

Business6 days ago

INVESTMENT IN INNOVATION: 2022 TRENDS AND OPPORTUNITIES

Author: Michael Kodari, Founder and CEO of Kodari Securities (KOSEC)   Moving into 2022, while COVID is still front of...

Business6 days ago

HOW TO CONSOLIDATE INVESTMENT REPORTING OPERATIONS AFTER A MERGER OR ACQUISITION

By Andrew Sehulster and Abbey Shasore   The reason why senior management make an acquisition is to compete better or...

Business6 days ago

FUNDING R&D IS STILL A PRIORITY FOR COMPANIES DESPITE THE PANDEMIC

By Emma Lewis, Myriad Associates   HMRC regularly releases statistics that look at the numbers of R&D Tax Credit claims...

Business7 days ago

Mitigating the insurance risks of climate change through geospatial data visualisation

Richard Toomey, Senior Manager, Commercial Insurance at LexisNexis Risk Solutions UK and Ireland   In the lead up to the...

Top 107 days ago

From compliance to the metaverse: Investment trends to look out for during the year ahead

By Rami Cassis, Founder and CEO of Parabellum Investments   In the investment world, the old saying, knowledge is power,...

News7 days ago

NutreeLife triples production with finance from Siemens Financial Services

Plant-based snack manufacturer NutreeLife has massively increased its production capacity with the help of a hire purchase solution from Siemens...

Trending