On December 31, 2020, Strong Customer Authentication (SCA) should go live in most of the European countries. As this important deadline draws near, however, there may still be challenges ahead as those in the industry work towards SCA compliance.
Why A New Deadline?
Let’s remember that PSD2 came into effect in January, 2018, bringing clear changes and significant enhancements to payments industry regulations. Originally, a deadline of September 14, 2019 was given for payment facilitators and online merchants as the date for required compliance with the Secure Customer Authentication rules (SCA) for fraud prevention and payments security.
However, getting ready and becoming compliant proved difficult for many, which led to the new deadline of December 31, 2020.
Even with this new deadline in place, some countries like the UK have postponed the SCA final implementation to September, 2021. Most other countries within the EEA (European Economic Area) should be ready by the end of December, 2020, while some of them are tweaking the timing of implementation with soft-launch scenarios into early 2021.
What Is Being Impacted And Should Be Ready By The New Deadline?
SCA for customer-initiated payments should be applied, with the implementation of EMV 3D Secure (3D Secure 2.0 or 3DS2), unless the payment qualifies for one of the exemption rules.
In principle, all eCommerce (card not present) and POS (card present) payments, if they are initiated by the shopper and do not fall under some sort of exemption, should be SCA-ready.
In general, POS payments are considered okay for now, as the move to EMV was made a couple of years ago to the associated contactless payments.
For eCommerce payments it is a different game altogether, because they rely heavily on the banks’ capabilities and previous implementations. When we look at alternative payment methods like the Dutch iDEAL and Belgium Bancontact, these were ready for SCA implementation by design.
However, if we look at the SCA implementation within banks, the set-up behind these was not always connected with the credit cards they issued. What’s more, the way the exemptions are structured made them challenging to implement into the banking system as these were normally not connected directly into those systems.
Issues like these are causing conversion challenges, with some merchants seeing decline ratios at some banks moving towards 30 to 40%. The reasons for these decline issues are diverse. An example would be when acquirers or payment providers do not offer SCA, and the issuing bank is asking for it. Another example could be when advanced banks implemented SCA with a lot of datapoint requirements in order to execute an extensive acceptance algorithm, while merchants only shared a handful of the existing datapoints, again causing disruption and leading to failed authorizations.
A payment service or acquiring platform has considerable influence on the transaction approval rate. A US-based merchant, using a US-based acquiring platform servicing EEA based shoppers could also run into trouble. Although technically these are considered “one-leg out” transactions, the card-issuing bank could decline them as well due to the lack of datapoints to build a proper risk estimation.
What Can You Do, As A Merchant, To Prepare For SCA Implementation?
If you are a 2Checkout merchant, skip to the next chapter. You are completely compliant with SCA, well in time for the deadline.
The interfaces between merchants and their payment provider should be able to exchange much more data than the standard shopper name address. You can think about shopper account-related data, like age of the shopper account, previous order values, age of the shopper, the current shopping basket, and up to more than 140 other data points. Sharing as much of this information with the payment provider in the API calls could significantly improve acceptance, assuming the payment provider is also passing these on to the card-issuing bank.
Another point for improvement is the use of the various available exemptions:
In conclusion, there are some final considerations to keep in mind if you’re considering SCA implementation. If you’re doing global business, you need to pay more attention to this. Every payment provider is challenged by a careful balance between acceptance ratios, charged acquiring fees, risk profiling, and local presence.
The use of local payment methods, mostly called alternative payments, should be your focus in many countries, even beyond regular card payments. In general, conversion ratios for alternative payments are far better in most countries compared to card payments, so be sure to make them available to your shoppers.
Staying on top of compliance regulations not only safeguards your payments ecosystem, but it can also boost your conversion rates.
What Do You Need To Do As A 2Checkout Client?
Strong customer authentication and PSD2 compliance is not something your team should worry about. Here are the key areas to be considered and what we’ve worked on:
3D SECURE 2 – Completed
This step involves Cardholder Initiated Transactions (CIT) and Merchant Initiated Transactions (MIT) frameworks in order to initiate 3D Secure 2 when required, or fallback on 3D Secure 1.
EXEMPTION MANAGEMENT – Completed
We have made sure that we are correctly managing exemption mandates requests – for low value transactions, low risk, and trusted beneficiaries. This step implies having an updated Bank Identification Number (BIN) database. This area is especially important for recurring transactions.
DUNNING – Completed
Dedicated dunning emails for fallback flows on recurring payments are in place.
To learn more about how SCA impacts you as a 2Checkout client, read this guide on PSD2 and SCA compliance.
For more information on how you can implement SCA flows with your 2Checkout integration, read our detailed guide here.