Is it my bank deciding what I can buy?
You found the headphones you wanted. You are ready to pay, and the online shop guides you smoothly through the process: log into your account, select the payment method – in this case, your credit card, check the order, and click the PAY NOW button.
Too bad, the headphones are not yours yet! First, you have to prove to your bank that you really want to buy the headphones. Even though the e-commerce (e-com) merchant is perfectly capable of proving that it is you, the bank still wants to confirm it is you.
Delegated Authentication is based on SCA
For experts, it is entirely logical what happens. In the current setup, the issuing bank is responsible and liable for the transaction. And following the PSD2 regulation for Strong Customer Authentication (SCA), the bank needs to verify who is initiating the transaction.
However, the process can confuse customers, and we blindly trust that the handover between merchant and issuer is flawless. When you click the PAY NOW button, you are pulled out of the user-friendly shopping environment and launched into the mobile banking app. This change of channel exposes risk for man-in-the-middle attacks, and it disrupts the carefully orchestrated customer journey. In the end, the customer experience depends on the successful implementation at the issuer side. And that is outside the influence of the merchant.
The e-commerce process is ready for improvements, and the tools to do this are available.
Recently, credit card schemes upgraded the 3-D Secure authentication process to comply with the PSD2 regulation. And at the same time, they included a clever new feature: the Delegated Authentication. Delegated Authentication defines the passthrough of the authentication result via the 3-D Secure server, from the merchant to the issuer. And in theory, it eliminates the authentication need of the issuer, removing at least one authentication step and making the purchase more frictionless.
However, from the issuer perspective, authentication is an essential part of risk mitigation. An issuer depends on SCA solutions, like Encap SCA, to authenticate the customers and approve the customer’s transactions. There are strict rules for these solutions: Encap SCA is PSD2 certified, facilitating omnichannel online and offline authentication, and internal and external security experts regularly test Encap SCA.
Delegated Authentication is trust and simplicity
For Delegated Authentication to work, the merchant needs to implement a trusted banking-grade SCA solution, like Encap SCA. Only with trust can Delegated Authentication simplify the cooperation between merchant and issuer. When trust is established, a contractual framework provided by the schemes removes the need for one-on-one agreement between merchant and issuer, and the liability shift is managed accordingly.
Let us now review the purchase from the introduction, with Delegated Authentication implemented, and see how the customer will benefit from the improved seamless e-com process.
Again, you will come to the point that you are ready to pay. You log into your account, omnichannel via the e-com merchants mobile app. The merchant has to make sure that the app is secure, the communication is encrypted, and that the transaction is unique – Encap SCA will manage all of this.
You check the order, and you click the PAY NOW button. The merchant will ask for confirmation in the mobile app, presenting a dynamic message showing the items you want to buy and their costs. You approve the transaction with your biometrics and that’s it!
In the background, the authentication is a passthrough to the issuer using the 3-D Secure rails. The issuer can trust the request and will approve the transaction without asking for authentication in the banking app. This gives the merchant full control over the customer journey.
Delegated Authentication with Encap SCA
Encap SCA fits perfectly with the needs of innovative e-commerce merchants. Encap offers a bank-graded SCA solution trusted by many financials and used for more than a billion authentications per year. Encap SCA improves the customer journey from start to finish. At onboarding with the unique Anonymous ID feature. At account creation with risk data to support the merchant’s risk evaluation process. At authentication with the PSD2 certified Encap SCA for Delegated Authentication. And at the point where a merchant needs to preserve the relationship when customers need to re-install their mobile app with our Account Recovery feature.
Written by Wido Beekman