Is my bank deciding what I can and can’t buy?
You have found the headphones you wanted. You are ready to pay, and the online shop guides you smoothly through the process: log into your account, select the payment method – in this case, your credit card – check the order, and click the “Pay now” button.
Too bad, the headphones are not yours yet! First, you have to prove to your bank that you really do want to buy the headphones. Even though the e-commerce (e-com) merchant is perfectly capable of proving that it is you placing the order, the bank still wants to confirm itself that it is you.
Delegated Authentication is based on SCA
To experts, the process appears entirely logical. In the current setup, the issuing bank is responsible and liable for the transaction. And following the PSD2 regulation for Strong Customer Authentication (SCA), the bank needs to verify who is initiating the transaction.
However, customers can find it all thoroughly confusing, and have to blindly trust the handover between merchant and issuer. When you click the “Pay now” button, you are pulled out of the user-friendly shopping environment and launched into the mobile banking app. This change of channel exposes risk for man-in-the-middle attacks, and it disrupts the carefully orchestrated customer journey. In the end, the customer experience depends on the successful implementation on the issuer side. And that is outside the influence of the merchant.
The e-commerce process is ready for improvement, and the tools to do this are available.
Recently, credit card schemes upgraded the 3-D Secure authentication process to comply with the PSD2 regulation. And at the same time, they included a clever new feature: Delegated Authentication. Delegated Authentication defines the passthrough of the authentication result via the 3-D Secure server, from the merchant to the issuer. And in theory, it eliminates the issuer’s need for authentication, removing at least one authentication step and making the purchase more frictionless.
However, from the issuer’s perspective, authentication is an essential part of risk mitigation. An issuer depends on SCA solutions, like Encap SCA, to authenticate customers and approve their transactions. There are strict rules for these solutions: Encap SCA is PSD2 certified, facilitating omnichannel online and offline authentication, and internal and external security experts regularly test Encap SCA.
Delegated Authentication is trust and simplicity
For Delegated Authentication to work, the merchant needs to implement a trusted banking-grade SCA solution, like Encap SCA. Only when trust is in place can Delegated Authentication simplify cooperation between merchant and issuer. When trust is established, a contractual framework provided by the schemes removes the need for one-on-one agreement between merchant and issuer, and the shift in liability is managed accordingly.
Let’s go back to those headphones we were buying earlier, but this time with Delegated Authentication implemented, and see how the customer will benefit from the improved, seamless e-com process.
Again, you come to the point where you are ready to pay. You log into your account – omnichannel, via the e-com merchant’s mobile app. The merchant has to make sure that the app is secure, the communication is encrypted, and that the transaction is unique – and Encap SCA will manage all of this.
You check the order, and you click the “Pay now” button. The merchant will ask for confirmation in the mobile app, presenting a dynamic message showing the items you want to buy and the price. You approve the transaction with your biometrics, and that’s it!
In the background, the authentication is a passthrough to the issuer using the 3-D Secure rails. The issuer can trust the request and will approve the transaction without asking for authentication in the banking app. This gives the merchant full control over the customer journey.
Delegated Authentication with Encap SCA
Encap SCA is a perfect fit for the needs of innovative e-commerce merchants. Encap offers a banking-grade SCA solution trusted by many financials and used for more than a billion authentications per year. Encap SCA improves the customer journey from start to finish: At onboarding with the unique Anonymous ID feature. At account creation with risk data to support the merchant’s risk-evaluation process. At authentication with the PSD2-certified Encap SCA for Delegated Authentication. And at the point where a merchant needs to preserve the relationship, when customers need to reinstall their mobile app, with our Account Recovery feature.
Written by Wido Beekman