Strong Customer Authentication (SCA) enforcement: Everything you need to know

Discover what the new European payment legislation means for your business, payments, and customers

Please note: this guide does not relate to how you are billed for Google Ads or to any other Google billing or payments. It only addresses how merchants process customer payments on their websites.

A new financial regulation— called Payment Service Directive 2 (PSD2) — is about to be introduced throughout the European Economic Area. A key part of the regulation, known as Strong Customer Authentication (SCA), means certain payments made by shoppers to merchants will need to undergo an additional process known as ‘two-factor authentication’. The new rules go live in all EEA countries from 31 December 2020, apart from Denmark (January 2021), France (March 2021), and the UK (September 2021). The extra payment authentication is required where both the acquirer and cardholder’s bank are located in the EEA. The changes will also likely be enforced within the UK, regardless of the outcome of Brexit.

To gain new insights into this regulation we spoke with leading payment providers Adyen, Ingenico, Stripe. In this article, we’ll walk you through our findings, and help you find answers to the key questions you might have around SCA.

1 First, why has PSD2 been introduced?

The regulation represents a monumental change in the European payments landscape. It’s been introduced to promote innovation, improve consumer protection, and boost competition by reducing the costs of payment services. It’s worth bearing in mind that while PSD2 is impacting businesses in Europe, companies who actively trade with Europe have also had to adapt. As such, while PSD2 is a European regulation, its arrival has certainly been felt globally.1

One of the key reasons for PSD2 is to increase the overall security for online payments. Before, many banks triggered SCA by asking for a single static password — but, of course, passwords are easily forgotten.2 With PSD2 comes Strong Customer Authentication (SCA) criteria which is used to verify a customer’s identify based on two of the following factors:3

  • Something they know (E.g. a PIN or password)
  • Something they have (E.g. a mobile device or card reader)
  • Something they are (E.g. a facial scan or fingerprint)

While transactions made within the EEA will be impacted by SCA, payments elsewhere are not subject to the new requirements. That said, some European card issuers could potentially decline payments — but this is not expected to be a common occurrence.

2 Impact of SCA

Content provided by Stripe

The overall impact of SCA depends on when the business charges its customers. For example, ecommerce stores will ask users to authenticate during the checkout flow. But other businesses, like hotels and subscription services, have built their checkout flows to save people’s payment details for later use. This may mean customers have to return to the website or app to re-authenticate any purchases made using their stored card — and could present significant conversion rate challenges to many businesses in the months ahead.

It’s also worth noting that SCA plans are subject to change, and you can follow this page for updates.

3 3 things you need to know about PSD2

Content provided by Ingenico

1. How 3DS V1 is different to 3DS V2

Payment providers built a certified product (called 3D Secure 2) to PSD2 SCA regulation standards. 3DS V1 was introduced back in 2001, but its poor user experience meant it was never widely adopted. That’s why 3DS V2 has been developed: to authenticate shoppers’ purchases in a more user-friendly way. For example, with 3DS V2, merchants can improve the payment process for customers by authenticating transactions in the background without interruption. Because customers are also responsible for deciding whether to authenticate a transaction, the liability shifts away from merchants. Another notable feature is that merchants will be encouraged to provide more high-quality data to issuing banks — and the better that data is, the more likely transactions will be authorized, and customers enjoy a smooth and frictionless experience

Theoretically, merchants can provide around 100 different data points, but in reality, just 20 are required, and the rest are optional. ePayments solutions providers recommend other fields for your customers to complete — which will help ensure as many payments as possible are approved through 3DS V2. Much of this data can be collected passively from customers, with minimal interaction. Your payment service provider (PSP) can also help you collect additional data points via device fingerprint-based technologies. For example, this includes the user’s device type, browser, screen length, and time zone.

Important PSD2 deadlines you need to know about

The timetable for major card providers to require strong customer authentication from merchants is detailed below.1

Date Event
14th September 2019 Initial SCA mandate:
Be ready for 3D Secure.
18th October 2019 Mastercard mandate of 3DS V2.1 for card issuers:
Mastercard issuers must now support 3DS V2.1. Mastercard issuers can now reject authorization without 3DS authentication, so 3DS V1 is the minimum requirement.
14th March 2020 Visa mandate of 3DS V2.1 for card issuers:
Visa card issuers must now support 3DS V2.1. Visa card issuers can now reject authorization without 3DS authentication, so 3DS V1 is the minimum requirement.
1st July 2020 Mastercard mandate of *3DS V2.1+ for card issuers:
Mastercard now supports exemptions, and Mastercard issuers must now support 3DS V2.1+.
31st December 2020 Current deadline for compliance with PSD2:
All online transactions will need to use 3DS unless exemptions or exclusions apply. [All the EEA except Denmark (January 2021) France (march 2021), UK (September 2021)]
1st January 2021 American Express and Diners Club follow PSD2 deadline:
But for AmEx, SafeKey exemptions are still permitted. For Diners Club, ProtectBuy exemptions will apply.
14th March 2021 Mastercard mandate of 3DS V2.2 for card issuers:
Merchants now need to support 3DS V2.2 for Mastercard transactions.
14th March 2021 Visa mandate of 3DS V2.2 for card issuers:
Visa card issuers must now support 3DS V2.2. Visa has however published a waiver for issuer compliance until March 2

Figure 1: The timetable for introducing strong customer authentication

*3DS V2.1+: In between functionality before 3DS V2.2 only for Mastercard

Transactions which are exempt or excluded from SCA regulations:

Some payments fall outside the scope of PSD2 entirely or allow you to skip SCA. Let’s run through these quickly.

Out Of Scope:2

  • Mail order/telephone order (MOTO)
  • Merchant Initiated Transactions (MIT):
    • Recurring (e.g. subscription payments)
    • Industry-specific exceptions (e.g. A no-show charge at an event)
  • Anonymous prepaid cards
  • ‘One leg out’ transactions — when either the cardholder’s issuing bank or your acquiring bank is outside the EEA

Exemptions:2

  • Low-value transactions (e.g. Less than EUR 30) – Transactions under €30 do not require SCA, but the issuing bank will keep track of certain counters such as the number of transactions or the sum of transaction amounts. For example, if the shopper’s transactions for one card exceed the counter after five consecutive transactions, or if the total exceeds €100, the issuing bank will ask for SCA
  • Transaction Risk Analysis (TRA) – Issuing banks can consider transactions as low risk based on the average fraud levels of the possible card issuer/acquirer processing the transaction, or both
  • Secure corporate payments – Business-to-business transactions don’t require SCA where there are dedicated payment processes in place, and the reference fraud rate is less than 0.005%
  • Trusted beneficiary – when customers can add you to a list of trusted payees where SCA is not required
  • Subscription payments – SCA is required when a series of payments is first set up. The payments must always be the same amount and always go to the same payee. After the first payment is made, SCA is no longer required.

4 Common questions about PSD2

Content provided by Ingenico

Why is it so important to flag customer transactions correctly?

Doing so will help ensure you avoid unnecessary ‘soft declines’ — where the bank mistakenly believes a transaction requires SCA, and rejects it. Ultimately, this results in a poor user experience and frustrated customers.1

There are a few specific areas where this is a risk, including:

Subscription payments

While the first transaction requires customer authentication, all subsequent transactions are flagged as Merchant Initiated Transactions (MIT). If customers pay a set amount at a fixed interval (or with a small amount of variation), SCA won’t be required if flagged correctly.

Stored cardholder credentials

Where a customer’s payment details are stored for subsequent transactions — a recurring subscription, for example — the first transaction requires SCA, and the rest can be Merchant Initiated Transactions (MIT). However, if a customer is merely storing their card details for future purchases (but with no regular scheduled payments), then future transactions will be customer-initiated (CIT) and require SCA.

Why are there mandatory and optional form fields for customer data — and which should merchants complete?

If the shipping address, card number, transaction amount, and other mandatory form fields are missing, issuers can challenge (best-case scenario) or decline the transaction altogether — although this can negatively impact the customer experience and drop off rate. Having a fallback mechanism in place to ‘save’ transactions using 3DS V1 can help you avoid payments being declined, wherever possible. Looking ahead, as the adoption of 3DS V2 grows, providing more data about your customers will inevitably boost your chances of offering a frictionless checkout experience. There are some ‘quick win’ optional data fields you could consider, such as IP address, purchase information (e.g. transaction value), merchant risk information (e.g. gift card use), and consumer account information (e.g. age of their account, password changes).

What proportion of the transaction value should merchants authenticate for?

In some cases, a single authentication may result in multiple authorizations — for example if a customer books a travel package containing multiple services from several providers via an online travel agency. Here, the agency would perform SCA just once for all the merchants involved, then split payment authentication and send this to the respective merchants for performing the authorisations.

Even in cases where you may not know what the total value of the transaction will be when initiated, it’s still advisable to submit an authentication request for the maximum possible amount. However, make sure you tell customers they won’t be charged until a specific amount is authorised. An example of this could be when customers register for a rental bike or ride share service where the final fee is based on distance travelled.

5 Suggested action plan

Source: Global Business Solutions by Google

The SCA element of the PSD2 regulation will be implemented at the end of December this year, so we recommend discussing its impact with your payment service provider/acquirer (PSP) at the earliest opportunity.1

For example, you may want to ask them:

  • Are your transactions affected by SCA? If so, what might the impact be?
  • Does your PSP offer 3DS support? This is the most common way to authenticate payments in an SCA-compliant way.
  • Is your PSP applying for exemptions? If so, ask them how this will be managed for your business.
  • What testing is available? Ideally, you should stress test the new process to ensure a smooth ongoing checkout experience for your customers.
  • What market insights can your PSP offer? Request information on the expected adoption and implementation of exemptions in each of your markets.

Other steps you can take:

Consider SCA-friendly payment methods

For example, Alternative Payment Methods (APMs) include (but are not limited to) Google Pay and other leading wallets. They’re SCA-friendly because they support payment flows using a built-in layer of biometric or password authentication. Other examples include online bank transfer options and eWallets such as PayPal, etc

Optimise your checkout flow

Closely monitor and refine your checkout experience. You could even add a message letting customers know they may be redirected, and the reason why.

Update your customer support and FAQs

Transaction declines may bring a rise in customer queries and requests, so make sure your support teams are aware of the changes that are happening and how to respond.

Keep a close eye on transaction declines

Monitor soft declines (where a cardholder’s bank refuses authorization) versus hard declines (where a cardholder’s bank declines the transaction entirely). Doing so will allow you to identify specific issuers you may have higher-than-average decline rates with. If this is the case, speak with your processor to see if they can help reduce declines by supporting you in the following ways:

  • Are they seeing similar behavior from other merchants who use this issuer?
  • Are they seeing similar behavior for all merchants under the same merchant category code?
  • What are the main reasons for declines?
  • Do they offer any best practice recommendations or solutions that could help you reduce high volumes of declines from one specific issuer, based on the reason codes?
  • Do they have a sufficiently close relationship with the issuer so they can discuss any concerns directly?

6 Tips to help you find the right 3D Secure partner

Content provided by Adyen

Working with the right 3D Secure partner will help you achieve SCA compliance, as well as track and apply exemptions, and improve your chances of success. Here are a few things to look out for:

Acquiring and authentication in one system

Ultimately, authorization is the goal — so it’s important to pick a provider who knows which version of 3DS (1 or 2) works best for both the shopper and issuer. While standalone providers might choose the most appropriate 3DS version as far as your shoppers are concerned, it may not be entirely right for your issuer. Likewise, acquirers may well determine what’s right for issuers, but not necessarily so for shoppers. Finding a provider who can do what’s right for both parties is key, and will give you the highest chances of success.

Superior authentication experiences for customers

In some instances, customer data sent in the background is enough to authenticate without users having to complete an extra step. However, when additional authentication is required, it should be effortless. Here are some of the experiences to check for:1

Passive: Necessary information is exchanged between the merchant, payment provider, and issuer — and the shopper sees nothing.

Two-factor: The user is asked to enter a two-factor authentication code, which is sent to them via email or SMS.

Biometric: An app-switch to an issuing-bank app is facilitated by the SDK. The user can then use their fingerprint or face in the issuing bank app.

Generally, try to introduce a ‘native’ payment authorisation experience via your own website or app, rather than adding friction to the process by redirecting shoppers to another URL.

Dynamic PSD2 application

After PSD2’s regulatory requirements take full effect in your country, your payment authorisation rates could be determined by one PSD2 SCA exemption over another. Or it might depend on how strictly a bank is enforcing or monitoring authentication. It could even depend on which 3DS2 version you're on. Adyen uses Authentication Engine to identify new insights as the PSD2 landscape matures. Some systems use an Authentication Engine to identify new insights as the PSD2 landscape matures. They can also monitor and identify patterns and behaviours, then take action in real-time.2

7 Providers who can help you with the SCA process

Here are just a few payment partners who can work closely with you to achieve full SCA compliance, and ensure you’re offering customers a smooth and friction-free checkout experience.

Adyen

Adyen logo

Adyen is the payments platform offering its services to some of the world’s leading companies and offers a range of 3DS options to meet PSD2 SCA requirements. Adyen is both an acquirer and 3DS provider, can dynamically apply 3DS on a transaction-level and delivers frictionless payment experiences online and in-app. Learn more.

Ingenico

Ingenico logo

Ingenico offers solutions to help you turn the new regulatory compliance into an opportunity to innovate, and create safe, frictionless, and mobile-optimised experiences for customers. Learn more.

Stripe

Stripe logo

Stripe offers a range of SCA-ready payment APIs and products to help you manage your PSD2 compliance and minimize the impact on your business. Learn more.

Google Pay

Google Pay logo

Google Pay helps merchants meet SCA compliance requirements while delivering a seamless online checkout experience. Its API is also free and publicly available. Learn more.

8 Conclusion

Achieving SCA/PSD2 compliance while ensuring your customers enjoy a smooth checkout experience will be key over the coming weeks and months. Use this guide to navigate your way through the process, ask the right questions, and minimize disruption to your operation. Remember, PSD2 is also an opportunity for your business to innovate — and develop a checkout experience that not only improves your payment conversion rate, but also boosts loyalty and puts the customer first.

For more free guides and articles on researching and choosing the right payment provider for your business, head over to Market Finder’s payment section.

Notes to readers:

The payment partner information in this guide is provided for your convenience, and Google does not take responsibility for its accuracy or completeness.

Content provided by: | Adyen | Ingenico | Stripe |

Due to the nature of the regulation and technical approaches information contained is correct at the time of publication but may be subject to change.