Strong Customer Authentication
SCA: The issuer and card brand perspective
A big shift is on the European payments horizon, as Strong Customer Authentication (SCA) for e-commerce will be enforced across most of the EEA from 1 January 2021. Earlier this month, we gathered key payments industry players to discuss what merchants need to know in the final weeks leading up to the deadline.
Gavin Blagden, Risk and Authentication Director at Visa Europe has been closely monitoring early implementation of SCA across European countries. He shared his advice and insights for merchants preparing for the 1 January.
Expect extra scrutiny at first
Transaction Risk Analysis (TRA) allows certain members of the payments ecosystem with low fraud rates to bypass SCA for qualifying transactions. Visa asked issuers what their specific plans were in terms of using their own TRA privileges but also asked questions around reviewing and processing TRA requests from merchants and acquirers.
Gavin says: “The good news is that most issuers are looking to use their own TRA privileges. For example, if as a merchant you submit an authentication request, the issuer may well process that transaction without a SCA challenge, so long as they’re within the limits of their TRA thresholds. Furthermore, issuers are also very willing to consider requests from merchants and acquirers to use the acquirer’s TRA privileges.”
However, Gavin adds that issuers, “are probably going to apply a bit more scrutiny to TRA requests from merchants in the early days of SCA rollout. As an issuer, TRA eligibility is based on factors including their own fraud performance as well as the specific risks of that transaction. So of course, issuers are going to be applying a little bit more scrutiny to those TRA requests in the early days until the ecosystem stabilises.”
The takeaway: Merchants should ensure that they have performed the risk assessment on a transaction and only request the TRA exemption on applicable low risk transactions. Furthermore, be prepared for closer issuer scrutiny on TRA requests in the early weeks and months of SCA enforcement.
Transaction data quality is extra-important right now
“The shift from 3DS1 to 3DS2 (EMV 3DS) has uncovered some data quality issues, where some transaction fields values are inconsistent or missing,” Gavin says. “As a merchant, it’s vital to recognise that better data quality equates to lower Access Control Server (ACS) risk scores and fewer SCA challenges.” (An ACS is a tool used by issuers in order to receive 3D Secure data and authenticate the card user.)
The takeaway: Ensure that your 3DS server vendor knows that these data elements are critical. Providing as much data on your customer as possible will allow issuers to properly recognise their known customers as well as detect elevated levels of risk. Overall, this will lead to lower ACS risk scores, fewer SCA challenges, and could ultimately result in fewer cart abandonments.
This article from UK Finance will provide your 3DS Server with all the necessary detail around which fields are particularly important.
Merchants may be surprised by the number of transactions that are out of scope
Gavin told merchants that many transactions will be carrying on as before, as they’re out of scope of SCA.
He said: “One would assume there's going to be huge amounts of friction required for issuers and acquirers to comply with the letter of the law of SCA. In reality, when you dig down into the weight of the regulation, there's lots of transactions that are out of scope.”
These can include, subject to compliance with the regulation:
- Merchant Initiated Transactions (MIT). “If your business involves setting up a card holder agreement, or you do regular subscriptions month-in, month-out, after you've set up a first transaction using Strong Customer Authentication, all the subsequent transactions may qualify to go straight to authorisation. SCA may be out of scope for those transactions once that agreement has been set up,” Gavin says.
- Mail Order Telephone Order (MOTO) transactions. These are also out of scope, simply because it's not possible to authenticate a customer when they're calling you on the phone.
- ‘One leg out’ transactions. This will happen when the transaction issuer or acquirer is outside of SCA-regulated markets. That said, SCA should still be applied on a best-effort basis for one-leg-out transactions.
The takeaway: If your business sets up MIT agreements with your customers, speak with your acquirer and your gateway provider and ensure you're correctly set up in accordance with requirements.
Gavin’s in-a-nutshell advice for navigating the approach and launch of SCA?
“When you get yourself connected to EMV 3DS, make sure you test as much as possible before SCA is actively enforced. Liaise with your Gateway provider and acquirer about using the SCA exemptions where applicable and properly flagging transactions that out of scope of SCA regulation so that issuers can ring-fence them away from SCA processing.
Your ability to respond to a soft decline will really help you. If you're not able to consume a soft decline, that will in effect become a hard decline. Ensure that EMV 3-DS data quality is strong to help dial down the risk scores. Utilise Transaction Risk Analysis (where applicable) – but request TRA only once you've done the due diligence to ensure that it's truly a low risk transaction and otherwise qualifies for TRA, to avoid unnecessary soft declins.”
J.P Morgan is fully mobilised to support our clients right through the Christmas period, through the crucial testing and January launch period – and our support will continue to evolve as the rollout continues. Contact your local J.P. Morgan representative for further advice on the best way to manage the risks, transitions and opportunities the ecommerce community is facing this year and into 2021.