Web Authentication

Strong Customer Authentication (SCA) + Arkose Labs = Fortified Payment Security

June 10, 20215 min Read


Strong Customer Authentication (SCA) is a mechanism to make payments more secure by building additional authentication into the checkout flow. However, it is no silver bullet and standalone cannot provide blanket protection to user accounts. Businesses need fraud solutions that can supplement defenses by monitoring entry points and deterring bad actors right at the outset

Introduced as part of the revised Payments Services Directive (PSD2) in Europe, SCA requires all payments to be performed using multifactor authentication (MFA). It makes use of two or more unique elements to authenticate payments that include knowledge (something only the user knows), possession (something only the user possesses), and inherence (something the user is).

SCA has sparked a debate with two opposing schools of thought. While one group believes that the use of SCA will introduce friction that can adversely affect user-experience when consumers make purchases, the other believes that it will enhance trust that the consumer accounts are being protected. Although generally, consumers find friction annoying, they seem to have greater acceptance based on the sensitivity of their data, for example when their financial accounts are involved. 

SCA doesn't guarantee all-round account protection

The reason behind introducing SCA is to make payments – both offline and online – secure and curb fraud. With the growing importance of protecting financial transactions globally, SCA can be an effective tool in achieving this goal; and many other countries outside of Europe are also considering the possible implementation of similar authentication requirements.

That said, SCA is no silver bullet and cannot provide end-to-end security for a consumer account. This is because SCA is limited in scope. It focuses only on the payment flow. What about the other activities such as account registration, log-ins, or making service changes? These activities do not involve SCA and are, therefore, left vulnerable to abuse.

Simply implementing SCA, without adequately fortifying other touchpoints with effective fraud defenses, cannot ensure holistic fraud prevention. For instance, in recurring transactions, such as those in subscription business models, SCA is required only for the first payment. This can create a gaping hole in the fight against fraud as it leaves accounts vulnerable to account takeover attacks and easy access to the stored payment details. However, when fraudsters are caught at the top of the funnel before a user provides payment details, it can help a payment service provider (PSP) reduce the number of failed payment attempts and hence downstream costs.

Consumers hold businesses accountable for account security

As more and more consumers go digital, the levels of fraud have also surged. Today, more than ever, there are multiple touchpoints with digital businesses that go beyond payments. This has translated into a manifold increase in the attack surface and opportunities for fraudsters to strike. Given that the returns from fraud are high, it has grown into a profitable global business, complete with a parallel ecosystem that facilitates criminal activities and profits from it.

A good outcome, however, is that consumers have become more aware of the threats they face online and are also more understanding of the need for protection mechanisms. They expect businesses to ensure the security of their digital accounts and are increasingly holding businesses accountable. It is, therefore, essential for digital businesses to deploy adequate checks and mechanisms that can help eliminate fraud and foster trust among their customers.

Use friction judiciously

Unnecessary friction, however, can still annoy consumers, and make it challenging for digital businesses to strike a balance between fraud prevention and user experience. While higher levels of friction may improve fraud remediation, it can even quarantine authentic users, which in turn can adversely impact user experience. Therefore, businesses need a solution that allows them to use friction judiciously while allowing authentic users to continue enjoying their digital journeys unaffected.

Arkose Labs steps up vigilance at the entry gates to help digital businesses monitor every incoming user and deny entry to bad actors. Although the Arkose Platform doesn't block any user, it does use targeted friction to filter out suspicious users. It presents incoming users with unique challenges to prove their authenticity. These challenges completely eliminate automated scripts and bots, while genuine customers can clear them rather easily.

Malicious users that refuse to give up, are presented with a continuous stream of challenges that keep increasing in complexity and need more time to clear. This disrupts any chances of scaling up the attacks and wastes attackers' time and resources to an extent that the returns start depleting and the attack no longer remains profitable. Fraudsters are in the business of making money and when their model gets bankrupted, they abandon the attacks to move on elsewhere.

Fraud continues to haunt payments with rising sophistication of modus operandi. Using SCA along with strengthening the entry points can enable businesses to effectively ward off fraud attempts while offering a seamless user experience to their genuine users. To learn how Arkose Labs makes this possible, please book a demo now.