The Challenge of Card Declines with SCA

If you’ve followed the Okay story, you know we’re a Norwegian company with a French CEO and employees living worldwide. As you can imagine, this sometimes creates a problem with online card payments, which I believe would be familiar to many companies today. As a Norwegian company we use  Norwegian-issued company cards, which typically uses BankID as the 2nd factor for payments. But, BankID is limited to those living in Norway. So, when one of our developers outside of Norway requires a piece of software, the payment can quickly escalate to C-level just so the right card can be used with the right person doing the 2nd-factor authentication. 

This gets much more complicated and troublesome if we look at the merchant side, where issues with SCA can lead to lost sales. According to research posted by Nuapay back in July 2022, “99% of merchants have seen an increase of at least 5% in payment declines (with an average 37% decline) following the introduction of Strong Customer Authentication; a third (35%) saw payments fraud jump since the start of the pandemic.”

I recently took part in a conference where a hotel chain merchant explained how the requirement of having 2FA for most payments leads to lost opportunities and sales. 

The company had multiple hotels in London and New York, with a complex payment network of around 80 suppliers - 7 of which were payment suppliers or directly involved in the payment process. This includes a property management system, an online booking system, and various other systems for multiple aspects of the business, such as a spa, e-commerce, and a small warehousing business with a coffee shop.

Implementing the Payment Services Directive 2 (PSD2) and its requirement for strong customer authentication (SCA) presented a challenge for this company. Remember, SCA is designed to increase security and reduce fraud by requiring additional authentication for online payments. A customer trying to book a room online serves as a good example:

3D Secure 2.x would be required to verify the transaction during checkout. However, many customers may not understand the new authentication methods for completing transactions, leading to cart abandonment. From the customer’s point of view, the merchant is at fault because they are on the merchant’s website. When they call the front desk to complain, the receptionist is likely unable to explain how to successfully complete the transaction.

Of course, the company had to update its payment systems to comply with the new SCA requirements. This was time-consuming and costly and resulted in downtime for the hotels. But since these additional steps led to confusion for the company’s customers, the company also had to invest in improved communication and education about the SCA process to minimise confusion and frustration and ensure a smoother transition.

While increased security is important, companies must find ways to effectively implement and communicate these changes to customers to minimise disruption and ensure a smooth transition. For a hotel chain, this might require receptionists to be familiar with SMS OTP messages (for the few card issuers still using that), code-generating pin-pads (still common for enterprise customers), and the various forms of app-based authentication that are getting more common.

In theory, transitioning to more robust SCA requirements should lower costs. Indeed, looking at official statistics for the EU region, fraud is becoming less of a problem for SCA-protected payments. But, the reality is that credit card processing fees continue to increase, regardless of fraud going down.

There are basically two areas where this situation can be improved. The simplest is to make SCA easier for end users. Moving away from pin-pads and SMS messages to frictionless authentication using an app makes life much easier for end users and merchants. This is the strategy we at Okay are working on - improving payment flows for those buying the service.

But there are also some options on the acquirer and payment processing side. Perhaps most importantly, a merchant should ensure that the acquirer you’re using is flexible. The PSD2 allows for several exemptions, e.g. for low-value transactions, recurring payments, and based on transaction risk analysis (TRA). If the fraud levels are kept low enough, SCA can be skipped, but this can require that the merchant’s and the acquirer’s systems communicate with each other more than just for transaction amounts. For example, some acquirers can offer exemptions for payments up to 500 Euro in Europe by doing risk analysis on their end, then flagging the payment as such when it is eventually passed on to the issuer.

Acquirers can sometimes cut costs for merchants with complicated offers, such as a hotel chain that does events in the example above. The fees can be different for a card-not-present purchase on a website and a purchase where there is a real conversation for a purchase, such as when arranging an event. This can lead to different rates, leading to savings for the merchant, regardless of SCA.

Looking to the future, I believe that much of the complexity I’ve described can be reduced by having strong SCA mechanisms in place. This can be combined with providing customers with alternative payment options, such as digital eWallets or payment apps directly tied to Open Banking, offering a secure, efficient and cost-effective alternative to traditional cards. But who knows what the future might hold!