As a decentralisation security solution, Strong Customer Authentication (SCA) forces all stakeholders to be compliant for remote electronic payments, from the account servicing payment service provider (i.e., the issuer) through to the acquirer, retailer, and the cardholder. If any of these do not play by the new rules, then it will mean more checkout friction. The prospect is that the impact on the customer experience will be detrimental as additional friction is forced into consumers’ payment process, requiring consumers to re-authenticate themselves using multiple factors at the point of payment. Retailers are worried about the potential loss of sales revenue.
However, for months prior to the SCA deadline, American Express has been taking advantage of being both the acquirer and the issuer and allowing its cardholders to nominate their most frequently used retailers. You may have already experienced this online or on a mobile checkout similar to the one shown below:
This effectively uses the ‘trusted beneficiaries’ exemption in the SCA Regulatory Technical Standards (RTS) - Article 13. When the cardholder completes a payment, they are presented with the option to ‘whitelist’ a retailer they trust to avoid having to authenticate future purchases. These retailers will be included on a list of ‘trusted beneficiaries’ maintained by American Express. As American Express owns both the commercial relationship with the retailer and the cardholder, they can use basic data analytics to cross-reference the shopping habits of their cardholders and benefit from Article 13 in the RTS.
The trusted beneficiary exemption states that when completing authentication for payment, customers may have the option to whitelist a retailer or another business that they trust to avoid having to authenticate future purchases. These retailers and other businesses will be included on a list of ‘trusted beneficiaries’ maintained by the customer’s bank or payment service provider.
While whitelisting has the potential to make repeat purchases or subscriptions more convenient for customers, so far, the adoption of this feature among banks (other than American Express) has been slow and irregular. Mastercard and Visa card issuers have not yet consistently implemented SCA and their approach to whitelisting is not the same.
Customers will have the option to assign well-known retailers and businesses to a list of ‘Trusted Beneficiaries’. This list will be updated and maintained by the ASPSP (Account Servicing Payment Service Provider), who also has the authority to remove trusted beneficiaries. A retailer’s PSP or Acquirer may build mechanisms to ‘suggest’ trusted beneficiaries to the ASPSP on behalf of the end-user/cardholder.
Access Control Server (ACS) providers working with issuers are expected to play an important role by requesting the cardholder to whitelist a trusted retailer while shopping. For example, the cardholder could tick a box to whitelist the retailer when authenticating the transaction.
Retailers and other commercial businesses accepting consumer payments cannot manage whitelists of trusted beneficiaries or enrol themselves in a customer’s trusted beneficiaries list. However, retailers can advise their customers of the benefits of using trusted lists and facilitate the enrolment process. If a retailer is on a customer’s ‘whitelist’ then SCA will not be required, regardless of the amount, frequency or variation of any purchases. This is really good news for retailers, it will improve the conversion rate, help increase sales revenues and finally deliver frictionless payments in a post-SCA world.
As SCA gains momentum, there are four activities that retailers ought to have on their plan of action for the next few months:
- Work with their PSP and acquirer to develop an exemption strategy that includes the ability for consumers to add them to their whitelist
- Request an issuer to serve the trusted beneficiaries enrolment option through an SCA challenge when a customer, who has not previously added the merchant to their list, completes a transaction with them
- Promote the benefits to your most regular and valuable customers and advise them on how they can add the merchant to their trusted beneficiaries list – this could be integrated with a retailer’s loyalty offering
- Own the customer experience – play a role in designing this in conjunction with issuers to make sure it is what you expect for your shoppers.
Whitelisting is an issuer solution and only the issuer will decide if they will manage the whitelist. The issuer decides which cardholders will be able to whitelist and which merchants they are willing to include on a whitelist. Issuers may ban high-risk merchants from being whitelisted even if the cardholder wanted to – the issuer has the ultimate control.
In the near future, once SCA becomes standard practice for all stakeholders, the consumer may add or remove businesses from their managed trusted beneficiaries list. They can consent to the issuer’s suggestion to add a retailer, but an issuer may also remove a retailer from a list. Either way, enrolment and maintenance of a trusted beneficiaries list require SCA.
Across Europe, there are literally thousands of issuers and ASPSPs and they will not necessarily provide a trusted beneficiary list solution themselves or in the same fashion. They may even outsource to a third-party technology solution provider. The card scheme Visa has launched its own Visa Trusted Listing Solution. This, coupled with Visa Token Service (VTS), is expected to allow merchants greater control and minimise transaction declines. Mastercard is encouraging its issuers to build their own solutions or work with ACS providers.
Issuers are already developing their apps and banking websites to allow easy management of whitelisting for their customers. As to how consumers will become informed on the practice of whitelist management or even the language the industry plans to use in communicating these new features remains to be seen. As for the shopper, there are still many questions about how exactly whitelisting will work in practice. Whitelist management, for example, could become impractical for consumers if over time the list becomes too large. A key competitive differentiator for issuers will be how they best provide their customers with a whitelisting proposition in terms of the user experience and how their card will remain top of the wallet.
American Express may have a head start and over time issuers without a whitelisting strategy are expected to lose volume and customers. It will be very important for retailers to start developing their plan of action in response to the issuer’s whitelisting developments. Retailers need to be proactive rather than reactive to what the issuers may impose on them. The retailer needs to own the customer experience.
The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).
Mark is a Director in the London office and heads up the Retailer & Hospitality Payments Practice for EDC. He has over 25 years of experience of consulting strategy in the payments and fintech industries. Mark works with leading global merchants, and payment suppliers to retailers and hospitality merchants, to develop omnichannel acceptance strategies. He uses the 360° Payment Diagnostic methodology developed by EDC to identify cost efficiencies and new growth opportunities for retailers and hospitality merchants by defining an appropriate mix of payment methods, acceptance channels, innovative consumer touchpoints, and optimizing Payment Service Providers and acquiring relationships. Outside the payments and fintech industry Mark is a passionate snowboarder.