Delegated Authentication : Take control of your SCA checkout experience

With only a few weeks to go before the PSD2 SCA enforcement, some online merchants are working hard to get ready with their 3D Secure implementation but others are already looking to the future at improving their customer check-out experience, considering solutions such as delegated authentication, obviously for very good reasons.

In Ecommerce, merchants want to provide the best payment experience possible to their online customers to avoid card abandonment and improve sales conversion. Merchants want to keep full control of the checkout user experience. Under PSD2, all online transactions should require Strong Customer Authentication before the transaction can be approved. (Some low risk and low-value transactions may be exempted from SCA). With 3DS2 protocol which fulfills SCA requirements, the authentication is commonly performed by the issuers which are creating few challenges.

To perform authentication during check out, cardholders are switched from the merchant domain to the issuer domain and backward which creates unnecessary friction especially if the cardholder is not familiar with this experience. Also, the merchant has no control over the Issuer authentication method and often could provide a better authentication user experience themselves using for example device biometrics or merchant log in together with behavioral biometrics, solutions which are easier to provide for merchants who have more data available.

Lastly, with PSD2, cardholders may need to ‘authenticate’ twice, with the merchant when they access their account, and with the issuer to initiate the payment process. As a consequence, unnecessary friction is introduced, and consumer check out experience is affected.

Consequently, merchants that already know their customers and have mechanisms in place to authenticate them would prefer to avoid relying on Issues to authenticate, as they might be able to offer a better customer experience. On mobile devices, the use of biometrics is already standard and eases the authentication process.

The good news is that PSD2 allows to delegate authentication to third parties including merchants (and wallets) in order to offer a smooth consumer experience while being compliant. This allows consumers to stay all the way within the merchant environment either website or app. In order to benefit from Delegated Authentication merchants have two possibilities:

a) Set up of bilateral contracts between the merchant authenticator and the issuers. This may quickly bring complexity in the contract management, due to the high number of issuers to be contracted in Europe.

b) The other option is to sign up with Scheme delegated authentication programs that provide legal multilateral agreements framework. Those delegated authentication programs meet PSD2 requirements and remove the need for bilateral agreements. Schemes are defining a set of rules and minimum requirements to enable issuers to delegate SCA to merchants.

As for merchant authentication, merchants can leverage from FIDO (Fast Identity Online) which is an open industry standard for authentication that supports general-purpose devices (such as smartphones, laptops,…) and separate devices (such as smart cards, secure token, etc…).

The basic principles of FIDO rely on the public key cryptography that provides simple and strong authentication. More secure than a passport and also more convenient than a hard token, FIDO provides usability and security. We will not cover in detail FIDO authentication here but one should remember that FIDO is fully PSD2 SCA compliant, offers many authentication options, and is supported in the 3DS2 protocol.

Merchants, especially big ones, will show increasing interest in Delegated Authentication as they are able to provide a consistent and low friction checkout experience to drive down cart abandonment and increase revenue.