We no longer support this browser. Using a supported browser will provide a better experience.

Please update your browser.

Close browser message

Strong Customer Authentication

SCA: The issuer and card brand perspective


A big shift is on the European payments horizon, as Strong Customer Authentication (SCA) for e-commerce will be enforced across most of the EEA from 1 January 2021. Earlier this month, we gathered key payments industry players to discuss what merchants need to know in the final weeks leading up to the deadline.

Gavin Blagden, Risk and Authentication Director at Visa Europe has been closely monitoring early implementation of SCA across European countries. He shared his advice and insights for merchants preparing for the 1 January.
 

Expect extra scrutiny at first 

Transaction Risk Analysis (TRA) allows certain members of the payments ecosystem with low fraud rates to bypass SCA for qualifying transactions. Visa asked issuers what their specific plans were in terms of using their own TRA privileges but also asked questions around reviewing and processing TRA requests from merchants and acquirers. 

Gavin says: “The good news is that most issuers are looking to use their own TRA privileges. For example, if as a merchant you submit an authentication request, the issuer may well process that transaction without a SCA challenge, so long as they’re within the limits of their TRA thresholds. Furthermore, issuers are also very willing to consider requests from merchants and acquirers to use the acquirer’s TRA privileges.”

However, Gavin adds that issuers, “are probably going to apply a bit more scrutiny to TRA requests from merchants in the early days of SCA rollout. As an issuer, TRA eligibility is based on factors including their own fraud performance as well as the specific risks of that transaction. So of course, issuers are going to be applying a little bit more scrutiny to those TRA requests in the early days until the ecosystem stabilises.”

The takeaway: Merchants should ensure that they have performed the risk assessment on a transaction and only request the TRA exemption on applicable low risk transactions.  Furthermore, be prepared for closer issuer scrutiny on TRA requests in the early weeks and months of SCA enforcement.
 

Transaction data quality is extra-important right now

“The shift from 3DS1 to 3DS2 (EMV 3DS) has uncovered some data quality issues, where some transaction fields values are inconsistent or missing,” Gavin says. “As a merchant, it’s vital to recognise that better data quality equates to lower Access Control Server (ACS) risk scores and fewer SCA challenges.” (An ACS is a tool used by issuers in order to receive 3D Secure data and authenticate the card user.)

The takeaway: Ensure that your 3DS server vendor knows that these data elements are critical. Providing as much data on your customer as possible will allow issuers to properly recognise their known customers as well as detect elevated levels of risk. Overall, this will lead to lower ACS risk scores, fewer SCA challenges, and could ultimately result in fewer cart abandonments.

This article from UK Finance will provide your 3DS Server with all the necessary detail around which fields are particularly important.
 

Merchants may be surprised by the number of transactions that are out of scope

Gavin told merchants that many transactions will be carrying on as before, as they’re out of scope of SCA.

He said: “One would assume there's going to be huge amounts of friction required for issuers and acquirers to comply with the letter of the law of SCA. In reality, when you dig down into the weight of the regulation, there's lots of transactions that are out of scope.”

These can include, subject to compliance with the regulation:

  • Merchant Initiated Transactions (MIT). “If your business involves setting up a card holder agreement, or you do regular subscriptions month-in, month-out, after you've set up a first transaction using Strong Customer Authentication, all the subsequent transactions may qualify to go straight to authorisation. SCA may be out of scope for those transactions once that agreement has been set up,” Gavin says.
  • Mail Order Telephone Order (MOTO) transactions. These are also out of scope, simply because it's not possible to authenticate a customer when they're calling you on the phone.
  • ‘One leg out’ transactions. This will happen when the transaction issuer or acquirer is outside of SCA-regulated markets. That said, SCA should still be applied on a best-effort basis for one-leg-out transactions.

The takeaway: If your business sets up MIT agreements with your customers, speak with your acquirer and your gateway provider and ensure you're correctly set up in accordance with requirements.


CONCLUSION

Gavin’s in-a-nutshell advice for navigating the approach and launch of SCA?

When you get yourself connected to EMV 3DS, make sure you test as much as possible before SCA is actively enforced. Liaise with your Gateway provider and acquirer about using the SCA exemptions where applicable and properly flagging transactions that out of scope of SCA regulation so that issuers can ring-fence them away from SCA processing. 

Your ability to respond to a soft decline will really help you. If you're not able to consume a soft decline, that will in effect become a hard decline. Ensure that EMV 3-DS data quality is strong to help dial down the risk scores. Utilise Transaction Risk Analysis (where applicable)  – but request TRA only once you've done the due diligence to ensure that it's truly a low risk transaction and otherwise qualifies for TRA, to avoid unnecessary soft declins.”
 

J.P Morgan is fully mobilised to support our clients right through the Christmas period, through the crucial testing and January launch period – and our support will continue to evolve as the rollout continues. Contact your local J.P. Morgan representative for further advice on the best way to manage the risks, transitions and opportunities the ecommerce community is facing this year and into 2021. 

Already an Existing Customer?

Contact us if you require advice, help or support.

Existing Merchant Service Customers

If you have a technical issue or a question about your merchant account, please call your Relationship Manager directly.
Alternatively, call our merchant support team on:

For Europe: +353 1 726 2909     UK: 0845 399 1130

Further information is available at any time through your Paymentech Online account.

 

Out of Courts Complaints and Redress Procedures

  1. J.P.Morgan has in place complaint resolution procedures to settle complaints of Merchants arising from their rights and obligations under Parts 3 and 4 of the Payment Services Regulations 2018.
  2. If you have a complaint, please contact your Relationship Manager. Your complaint will be addressed in accordance with J.P.Morgan complaint policy, which we are happy to provide upon request.
  3. In the event of a complaint, a Merchant may refer the matter to the Irish Financial Services and Pensions Ombudsman (FSPO) or such relevant out-of-court complaint body or to such other competent out-of-court complaint body applicable to you in the country where you are established.
  4. Details on complainant eligibility are available on the FSPO website.

                   You can contact the FSPO at:

Irish Financial Services and Pensions Ombudsman
Lincoln House
Lincoln Place
Dublin 2
D02 VH29
Ireland
Tel: + 353 1 567 7000
Email: info@fspo.ie
Website: https://www.fspo.ie

 

Merchants domiciled in the UK

  1. From 1st January 2021, J.P.Morgan will enter into the UK's Temporary Permissions Regime (TPR).
  2. The TPR has been established by the UK regulators to allow firms such as J.P.Morgan to continue to operate in the UK following the end of the Brexit transition period.
  3. During the TPR, a UK-based merchant that is not satisfied with our response to a complaint and that qualifies as an eligible complainant may refer the matter to the UK's Financial Ombudsman Service. Details on complainant eligibility are available on the Financial Ombudsman Service website.

                   You can contact the Financial Ombudsman Service at:

Financial Ombudsman Service
Exchange Tower
London
E14 9SR
Free phone: 0800 023 4567
Email: complaint.info@financial-ombudsman.org.uk
Website: www.financial-ombudsman.org.uk