Strong Customer Authentication (SCA) enforcement: Everything you need to know

The regulation represents a monumental change in the European payments landscape. It’s been introduced to promote innovation, improve consumer protection, and boost competition by reducing the costs of payment services. It’s worth bearing in mind that while PSD2 is impacting businesses in Europe, companies who actively trade with Europe have also had to adapt. As such, while PSD2 is a European regulation, its arrival has certainly been felt globally.¹

One of the key reasons for PSD2 is to increase the overall security for online payments. Before, many banks triggered SCA by asking for a one-time password (OTP) or a single static password — but, of course, passwords are easily forgotten.² With PSD2 comes Strong Customer Authentication (SCA) criteria which is used to verify a customer’s identity based on two of the following factors:³

• Something they know (E.g. a PIN or password)
• Something they have (E.g. a mobile device or card reader)
• Something they are (E.g. a facial scan or fingerprint)

While transactions made within the EEA will be impacted by SCA, payments elsewhere are not subject to the new requirements. That said, some European card issuers could potentially decline payments — but this is not expected to be a common occurrence.

^{Content provided by Stripe}

SCA is going live during a traditionally busy period for e-commerce, and its smooth transition depends on several factors. This includes the overall awareness of cardholders to the new security experience; the ability of issuers to offer user-friendly SCA solutions; the degree to which acquirers can offer SCA solutions that are optimized to reduce friction and support merchant readiness. Given the impact SCA has on the cards ecosystem, opportunities exist for greater partnerships, more innovative security solutions, and better and more customized user experiences.

^{It’s also worth noting that SCA plans are subject to change, and you can follow this page for updates.}

^{Content provided by Ingenico}

1. How 3DS V1 is different to 3DS V2

Payment providers built a certified product (called 3D Secure 2) to PSD2 SCA regulation standards. 3DS V1 was introduced back in 2001, but its impact on user experiences, and the fact it’s ‘web only’ makes it far from ideal. That’s why 3DS V2 has been developed: to authenticate shoppers’ purchases in a more user-friendly way — while providing both a web and native solution. For example, with 3DS V2, merchants can improve the payment process for customers by authenticating transactions in the background without interruption. Authenticating the transaction this way also shifts liability to issuers. Another notable feature is that merchants will be encouraged to provide more high-quality data to issuing banks — and the better that data is, the more likely transactions will be authorized, and customers enjoy a smooth and frictionless experience.

Theoretically, merchants can provide around 100 different data points, but in reality just 20 are required, and the rest are optional. ePayments solutions providers, recommend other fields for your customers to complete — which will help ensure as many payments as possible are approved through 3DS V2. Much of this data can be collected passively from customers, with minimal interaction. Your payment service provider (PSP) can also help you collect additional data points via device fingerprint-based technologies. For example, this includes the user’s device type, browser, screen length, and time zone.

Important PSD2 deadlines you need to know about

The timetable for major card providers to require strong customer authentication from merchants is detailed below.¹

Date	Event
14th September 2019	Initial SCA mandate: Be ready for 3D Secure.
18th October 2019	Mastercard mandate of 3DS V2.1 for card issuers: Mastercard issuers must now support 3DS V2.1. Mastercard issuers can now reject authorization without 3DS authentication, so 3DS V1 is the minimum requirement.
14th March 2020	Visa mandate of 3DS V2.1 for card issuers: Visa card issuers must now support 3DS V2.1. Visa card issuers can now reject authorization without 3DS authentication, so 3DS V1 is the minimum requirement.
1st July 2020	Mastercard mandate of *3DS V2.1+ for card issuers: Mastercard now supports exemptions, and Mastercard issuers must now support 3DS V2.1+.
31st December 2020	Current deadline for compliance with PSD2: All online transactions will need to use 3DS unless exemptions or exclusions apply. [All the EEA except Denmark (January 2021) France (march 2021), UK (September 2021)]
1st January 2021	American Express and Diners Club follow PSD2 deadline: But for AmEx, SafeKey exemptions are still permitted. For Diners Club, ProtectBuy exemptions will apply.
14th March 2021	Mastercard mandate of 3DS V2.2 for card issuers: Merchants now need to support 3DS V2.2 for Mastercard transactions.
14th March 2021	Visa mandate of 3DS V2.2 for card issuers: Visa card issuers must now support 3DS V2.2. Visa has however published a waiver for issuer compliance until March 2

Figure 1: The timetable for introducing strong customer authentication

*3DS V2.1+: In between functionality before 3DS V2.2 only for Mastercard

Transactions which are exempt or excluded from SCA regulations:

Some payments fall outside the scope of PSD2 entirely, or allow you to skip SCA. Let’s run through these quickly.

Out Of Scope:²

• Mail order/telephone order (MOTO)
• Merchant Initiated Transactions (MIT):
  • Recurring (e.g. subscription payments)
  • Industry-specific exceptions (e.g. A no-show charge at an event)
• Anonymous prepaid cards
• ‘One leg out’ transactions — when either the cardholder’s issuing bank or your acquiring bank is outside the EEA

Exemptions:²

• Low-value transactions (e.g. Less than EUR 30) – Transactions under €30 do not require SCA, but the issuing bank will keep track of certain counters such as the number of transactions or the sum of transaction amounts. For example, if the shopper’s transactions for one card exceed the counter after five consecutive transactions, or if the total exceeds €100, the issuing bank will ask for SCA
• Transaction Risk Analysis (TRA) – Issuing banks can consider transactions as low risk based on the average fraud levels of the possible card issuer/acquirer processing the transaction, or both
• Trusted beneficiary – when customers can add you to a list of trusted payees where SCA is not required
• Subscription payments – SCA is required when a series of payments is first set up. The payments must always be the same amount and always go to the same payee. After the first payment is made, SCA is no longer required.

^{Content provided by Ingenico}

Why is it so important to flag customer transactions correctly?

Doing so will help ensure you avoid unnecessary ‘soft declines’ — where the bank mistakenly believes a transaction requires SCA, and rejects it. Ultimately, this results in a poor user experience and frustrated customers.¹

There are a few specific areas where this is a risk, including:

Subscription payments

While the first transaction requires customer authentication, all subsequent transactions are flagged as Merchant Initiated Transactions (MIT). If customers pay a set amount at a fixed interval (or with a small amount of variation), SCA won’t be required if flagged correctly.

Stored cardholder credentials

Where a customer’s payment details are stored for subsequent transactions — a recurring subscription, for example — the first transaction requires SCA, and the rest can be Merchant Initiated Transactions (MIT). However, if a customer is merely storing their card details for future purchases (but with no regular scheduled payments), then future transactions will be customer-initiated (CIT) and require SCA.

Why are there mandatory and optional form fields for customer data — and which should merchants complete?

If the shipping address, card number, transaction amount, and other mandatory form fields are missing, issuers may challenge (best-case scenario) or decline the transaction altogether — although this can negatively impact the customer experience and drop off rate. Having a fallback mechanism in place to ‘save’ transactions using 3DS V1 can help you avoid payments being declined, wherever possible. Looking ahead, as the adoption of 3DS V2 grows, providing more data about your customers will inevitably boost your chances of offering a frictionless checkout experience. There are some ‘quick win’ optional data fields you could consider, such as IP address, purchase information (e.g. transaction value), merchant risk information (e.g. gift card use), and consumer account information (e.g. age of their account, password changes).

What proportion of the transaction value should merchants authenticate for?

In some cases, a single authentication may result in multiple authorizations — for example if a customer books a travel package containing multiple services from several providers via an online travel agency. Here, the agency would perform SCA just once for all the merchants involved, then split payment authentication and send this to the respective merchants for performing the authorizations.

Even in cases where you may not know what the total value of the transaction will be when initiated, it’s still advisable to submit an authentication request for the maximum possible amount. However, make sure you tell customers they won’t be charged until a specific amount is authorized. An example of this could be when customers register for a rental bike or ride share service where the final fee is based on distance traveled.

Should merchants provide a return URL?

In short, yes. This way, if an issuer declines a customer transaction, you can automatically redirect them through the 3DS1 process. All you’d need to do is provide your PSP with a return URL field they can use for redirects.

^{Source: Global Business Solutions by Google and Adyen}

For applicable countries the SCA element of the PSD2 regulation will be enforced at the end of December this year, so we recommend discussing its impact with your payment service provider/acquirer (PSP) at the earliest opportunity.¹

For example, you may want to ask them:

• Are your transactions affected by SCA? If so, what might the impact be?
• Does your PSP offer 3DS support? This is the most common way to authenticate payments in an SCA-compliant way.
• Is your PSP applying for exemptions? If so, ask them how this will be managed for your business.
• What testing is available? Ideally, you should stress test the new process to ensure a smooth ongoing checkout experience for your customers.
• What market insights can your PSP offer? Request information on the expected adoption and implementation of exemptions in each of your markets.

Other steps you can take:

Consider SCA-friendly payment methods

For example, Alternative Payment Methods (APMs) include (but are not limited to) Google Pay and other leading wallets. They’re SCA-friendly because they support payment flows using a built-in layer of biometric or password authentication. Other examples include online bank transfer options and eWallets such as PayPal, etc

Optimise your checkout flow

Closely monitor and refine your checkout experience. You could even add a message letting customers know they may be redirected, and the reason why.

Update your customer support and FAQs

Transaction declines may bring a rise in customer queries and requests, so make sure your support teams are aware of the changes that are happening and how to respond.

Keep a close eye on transaction declines

Monitor soft declines (where a cardholder’s bank refuses authorization) versus hard declines (where a cardholder’s bank declines the transaction entirely). Doing so will allow you to identify specific issuers you may have higher-than-average decline rates with. If this is the case, speak with your processor to see if they can help reduce declines by supporting you in the following ways:

• Are they seeing similar behavior from other merchants who use this issuer?
• Are they seeing similar behavior for all merchants under the same merchant category code?
• What are the main reasons for declines?
• Do they offer any best practice recommendations or solutions that could help you reduce high volumes of declines from one specific issuer, based on the reason codes?
• Do they have a sufficiently close relationship with the issuer so they can discuss any concerns directly?

^{Content provided by Adyen}

Working with the right 3D Secure partner will help you achieve SCA compliance without impacting the overall user experience of your shopper. The exemption should also be taken into consideration as it is a compliant way to ensure a frictionless experience. Here are a few things to look out for:

Acquiring and authentication in one system

Ultimately, authorization is the goal — so it’s important to pick a provider who knows which version of 3DS (1 or 2) works best for both the shopper and issuer. While standalone providers might choose the most appropriate 3DS version as far as your shoppers are concerned, it may not be entirely right for your issuer. Likewise, acquirers may well determine what’s right for issuers, but not necessarily so for shoppers. Finding a provider who can do what’s right for both parties is key, and will give you the highest chances of success.

Superior authentication experiences for customers

In some instances, customer data sent in the background is enough to authenticate without users having to complete an extra step. However, when additional authentication is required, it should be effortless. Here are some of the experiences to check for:¹

Two-factor: The user is asked to enter a two-factor authentication code, which is sent to them via email or SMS.

Biometric: An app-switch to an issuing-bank app is facilitated by the SDK. The user can then use their fingerprint or face in the issuing bank app.

Generally, try to introduce a ‘native’ authorization experience via your own website or app, rather than adding friction to the process by redirecting shoppers to another URL.

Dynamic PSD2 application

After PSD2’s regulatory requirements take full effect in your country, your authorization rates could be determined by picking one PSD2 SCA exemption over another. Or it might depend on how strictly a bank is enforcing or monitoring authentication. It could even depend on which 3DS2 version you're on. Some providers like Stripe, Adyen and Ingenico have custom authentication systems that can be used to identify new insights as the PSD2 landscape matures. For example, Adyen’s Authentication Engine can monitor and identify patterns and behaviors, then take action in real-time.²

Here are just a few payment partners who can work closely with you to achieve full SCA compliance, and ensure you’re offering customers a smooth and friction-free checkout experience.

Adyen

Adyen is the payments platform offering its services to some of the world’s leading companies and offers a range of 3DS options to meet PSD2 SCA requirements. Adyen is both an acquirer and 3DS provider, can dynamically apply 3DS on a transaction-level and delivers frictionless payment experiences online and in-app. Learn more.

Ingenico

Ingenico offers solutions to help you turn the new regulatory compliance into an opportunity to innovate, and create safe, frictionless, and mobile-optimized experiences for customers. Learn more.

Stripe

Stripe builds economic infrastructure for Internet businesses and its products help modernize enterprise commerce for businesses around the world, including dozens of category leaders who each process more than $1B in annual payment volume. Stripe offers a range of SCA-ready payment APIs and products to help you manage your PSD2 compliance and minimize the impact on your business. Learn more.

Google Pay

Google Pay helps merchants meet SCA compliance requirements while delivering a seamless online checkout experience. Its API is also free and publicly available. Learn more.

Achieving SCA/PSD2 compliance while ensuring your customers enjoy a smooth checkout experience will be key over the coming weeks and months. Use this guide to navigate your way through the process, ask the right questions, and minimise disruption to your operation. Remember, PSD2 is also an opportunity for your business to innovate — and develop a checkout experience that not only improves your payment conversion rate, but also boosts loyalty and puts the customer first.

For more free guides and articles on researching and choosing the right payment provider for your business, head over to Market Finder’s payment section.

Notes to readers:

The payment partner information in this guide is provided for your convenience, and Google does not take responsibility for its accuracy or completeness.

Content provided by: | Adyen | Ingenico | Stripe |

^{Due to the nature of the regulation and technical approaches information contained is correct at the time of publication but may be subject to change.}