Revealed: The Real Risks Of Not Properly Enforcing SCA

Ed Whitehead, managing director EMEA for Signifyd warns about the risks of getting Strong Customer Authentication (SCA) wrong

Strong Customer Authentication (SCA) is a new requirement of the second Payment Services Directive (PSD2) in the UK and the EU. Its objective is to improve the security of electronic payments online. SCA requires banks to perform extra checks to verify the identity of consumers when they make a payment online. This is achieved through a two-factor authentication, requiring consumers to prove two of the following identification methods at checkout:

Knowledge – Something they know: using a password or PIN.
Possession – Something they own: using a mobile phone or card reader.
Inherence – Something they are: biometrics such as a fingerprint or facial recognition.

For ecommerce businesses, this has been enforced since 1st January 2021 in most of the EEA and will be enforced from 14th March 2022 in the UK.

But what happens if you don’t enforce PSD2 Strong Customer Authentication in your business?
Unfortunately, hiding from the problem will not make it go away. Payment service providers (PSPs) and banks have a legal obligation to comply with PSD2, and businesses that don’t fulfil SCA will see a world of trouble.

While SCA is the responsibility of PSPs to enforce, merchants have a big role to play in how consumer information is collected. Merchants must be proactive about implementing SCA properly. Otherwise, they may experience rising decline rates, falling conversion rates, and increasing negative customer experiences. Here, we explore the real risks of not properly enforcing SCA.

Rising decline rates
SCA’s enforcement has led to higher transaction failure rates due to the increased usage of 3DS as a solution to compliance. In July 2021, CMSPI reported that the estimated European failure rate on transactions was 24 per cent – higher than the industry objectives. But why is this happening? Because relying solely on the use of 3DS for SCA compliance increases friction at checkout. This will include more step-up authorisations and stricter verification methods.

While increased decline rates will have an obvious negative impact for merchants’ revenue, there will be further consequences that are damaging for business. Merchants know that when a quarter of transactions fail, of course not every one of those transactions will be fraudulent. In fact, a vast majority is likely not to be. But declining genuine consumers is a costly game to play.

57.6% of consumers said that being declined a purchase by a retailer when there wasn’t a problem would be a reason for them to not shop with a specific online retailer again.

Ultimately, merchants risk ostracising consumers by declining genuine payments. This may discourage returning customers, leading to a further negative impact on revenue beyond the initial decline.

Merchants should therefore aim to improve their decline rate by implementing easier authentications that reduce touchpoints for consumers. Seamless SCA, which uses more data points to verify consumer identities, can encourage improved decline rates and boost revenue.

Falling conversions rates
As mentioned above, when SCA is not properly enforced, authentication can create friction and more consumer touchpoints are likely to occur. The more touchpoints that you create on your ecommerce store, the more likely it is that customers will abandon their shopping carts. In the UK, 41 per cent of shoppers have abandoned an online transaction during checkout in the past year. Merchants must ensure that their ecommerce site is built for the latest authentication platforms, otherwise, they risk creating negative customer experiences.

Using 3DS Version 1, while it is a compliant solution to SCA, has limited capabilities. For example, biometrics are not a possible measure for SCA using 3DS1, meaning that more demanding verification methods are required. This may induce text verification codes that need manually entering or additional passwords and account verifications.

3DS1 also doesn’t recognise soft declines. When a merchant asks an issuer to authorise a payment, the issuer may return a soft decline, triggering authentication. However, with 3DS1, this payment would just be declined. The merchant would have to try again and risk cart abandonment.

Merchants should aim to have a seamless authentication strategy that complies with SCA to achieve higher conversion rates. Merchants should make sure they are on the correct version of EMV 3DS to make the best use of the opportunities that SCA offers, including biometrics, exemptions, and data analysis to achieve a frictionless authentication.

Liability and reimbursements
One of the objectives of SCA is clear when asking the European Payments Council who is responsible for SCA application with PSD2. They are clear that the payment service provider is responsible. The council states: “PSD2 foresees that the payer can claim full reimbursement from their PSP in case of an unauthorised payment if there was no SCA measure in place and if the payer did not act fraudulently.”

When a merchant’s acquiring bank relies on an exemption to SCA or does not apply SCA, they will be liable for potential fraud. When SCA is applied, the liability is shifted to the consumer’s issuing bank. However, if authentication such as 3D Secure is not performed, merchants will usually be liable for fraudulent activity.

Merchants must find ways to shift this liability away from their business. This can be achieved by switching to 3D Secure Version 2 (3DS2), where it is estimated that five to ten per cent of all authentications will be redirected to their issuer’s 3D Secure page to complete a two-factor authentication. After this, about 90 per cent of authentication requests are authorised, and the liability is shifted to the issuing bank.


As SCA continues to dominate ecommerce in 2021, it’s essential to ensure that your compliance does not risk your business. Enforcing SCA properly can not only boost your business, but it can also get you ahead of competitors with no SCA strategy.