SCA: How will fraudsters try to work around the mandate?

January 27, 2020
Read time: 7 min
Mari-Anne Bayliss
Mari-Anne Bayliss
Cybersource | Fraud Solutions for Europe, the Middle East and Africa

Strong customer authentication (SCA) has understandably been a major priority for the payment industry. While everyone focuses on compliance and on minimizing the impact on customer experience, it’s easy to forget that SCA will also have an impact on fraud—and merchants should be ready for it.

We’ve seen it before: Changes in purchasing and payment processes lead to shifts in fraud patterns. The introduction of chip-and-PIN technology drove fraud to the eCommerce channel. Before eCommerce became an influencing factor in creating the online fraud industry, fraudsters habitually exploited the MOTO (mail order/telephone order) channel. With SCA due to provide additional security for eCommerce in the European Economic Area (EEA), it’s highly likely that we’ll see changes in fraudulent behavior.

Savvy merchants are already asking us what to expect, so they can be prepared. We can’t know for sure what innovative fraud developments may emerge in a post-SCA world, but we do know that fraudsters will want to exploit gaps in SCA coverage. Therefore, we can make some educated predictions based on past experience and the details of SCA, to block fraudsters’ attempts. Here are three things we anticipate merchants should look out for.

1. One-leg-out transactions


One-leg-out transactions—where either the issuer or acquirer is located outside the EEA—are out of scope of SCA. There are two ways fraudsters may take advantage of this.

First, they can try to use non-EEA cards such as American card details, when targeting EEA merchants. If you experience an unexpected rise in non-European customers, treat it with appropriate caution.

Second, fraudsters can target non-EEA eCommerce sites with EEA card details. If you’re a global merchant with multiple country-specific websites and local acquirers, you may see fraudsters starting to target your non-European sites more often.

From a fraud management perspective, make sure the business has a cross-geographic view of what’s happening, especially if you have different teams managing fraud in different regions. It’s not just your EEA teams that need to be aware of what SCA might mean for fraud management.

2. Call-center fraud


The MOTO channel is also out of scope of SCA, so we can expect fraudsters to dust off their pre-eCommerce tactics for impersonating genuine customers over the phone—not to mention coming up with creative new techniques.

As merchants have discovered with the growth of mobile fraud, different channels call for different fraud management tactics, even if many of the tools used are the same. We know that the fraud teams of many of our customers are already paying specific attention to their call centers, so that they’re ready to respond if this shift happens.

Bear in mind that it’s not only fraudsters that may migrate to the phone. Some genuine customers may be unfamiliar with new authentication methods and may decide to pick up the phone instead.

Our advice to any merchant not already monitoring fraud in their MOTO channel is to start doing so. Train your call-center staff on what to expect and how to deal with it. Consider implementing additional authentication techniques, such as voice screening or out-of-band authentication via one-time password. And think about what else you might need to change if there’s a marked shift towards this channel. Do you need to deploy more call-center staff? Are currently outsourced call-center activities able to adapt to new fraud management demands?

3. More sophisticated impersonation


The arms race between the payment security industry and the fraud industry is not new, and if there’s one thing we can be sure of, it’s that fraudsters will bring the necessary effort and inventiveness to the job. If they cannot sidestep SCA entirely, we can expect them to work on more sophisticated ways to impersonate genuine customers, including account takeover and synthetic identity theft (the combination of real and fake information to create a new identity).

Fraudsters are also usually quick to leverage mechanisms that offer more convenient experiences to customers. With more sophisticated impersonation, fraudsters may also try to take advantage of the SCA exemptions.

What does this mean for fraud management?


Any time we make fraudsters work harder, we’re doing a good job—and SCA will certainly make fraudsters work harder. But as long as we also want to make life easier for customers, there’s an inevitable balancing act between maximizing fraud prevention and minimizing customer friction.

"Balanced fraud management is usually cross-enterprise, while also appropriately tailored to each channel and geography."

This means that, more than ever, fraud management teams need to move beyond "blunt" fraud prevention approaches and basic tools. Balanced fraud management is usually cross-enterprise (not siled per channel or geography), while also appropriately tailored to each channel and geography. It uses techniques to identify genuine customers alongside techniques to identify fraudsters. And it evolves to exploit new technologies for distinguishing between genuine and fraudulent transactions, such as machine learning, device fingerprinting and a wider range of data services.

One thing is certain: While SCA is a great addition to ecommerce security, it’s not a silver bullet. In the post-SCA world, merchants will have new challenges to overcome if they want to continue to protect their customers, their brand and their business against fraud.

Are you ready for SCA?


You can optimize your post-SCA fraud approach with Decision Manager, our cross-channel fraud platform. If you need help supporting the PSD2 SCA mandate, be sure to check out our 3-D Secure 2 authentication solution. And, of course, reach out to us any time with questions. 

This article was orignally published in The Paypers' Fraud Prevention and Online Authentication Report 2019 / 2020, with the headline "Bypassing Strong Authentication: Expected Fraud Workarounds after SCA."