What is SCA?

TM expensereduction.com

A guide to Strong Customer Authentication& how it effects your business.

2

“

What is SCA?The new EU Payments Services

Directive (PSD2) took effect in

January 2018, bringing in new laws

aimed at enhancing consumer rights

and reducing online fraud.

A key element of PSD2 is the

introduction of additional

security authentications for online

transactions over €30, known as

Strong Customer Authentication

(SCA). It means customers will no

longer be able to checkout online

using just their credit or debit

card details, they will also need to

provide an additional form

of identification.

This report will give an overview of

the new SCA regulations and what

they mean for online retailers.

2

3

Why is SCA needed?

Payment fraud losses have been steadily increasing for

nearly a decade with little sign of easing. The European

Commission has intervened by placing SCA requirements

on participants to reduce fraud as one of the core

components of PSD2.

The original deadline for implementing SCA was

14 September 2019, by which point all ecommerce

transactions were due to be processed via secured

industry protocol such as 3D Secure. Online transactions

would need additional authentication (with some

exemptions).

However, following the European Banking Authority (EBA)

announcement on 21 June 2019, the Financial Conduct

Authority (FCA) has agreed to a phased roll-out plan to

move the UK to full compliance by 14 March 2021.

3

4

ERA Reflections In contrast to other sections of this report, which is analysis and fact driven, this section contains informed opinion and reflections of the author and is provided in strict confidence to you, as our client, to help you plan your banking and payment solutions for the future.

Strong Customer Authentication breathing space – or is it?

As previously reported the payments industry was extremely concerned at the lack of readiness of banks, acquirers and other Payment Service Providers for the changes on 14th September 2019. Even two months before the deadline:

• 80% of consumers were unaware of the forthcoming changes (MasterCard research)

• less than 40% of UK merchants were confident of being ready (Stripe & 415 Research).

• 75% of merchants across Europe were unaware of the requirements (UK Finance).

The year 1 lost business potential has been generally accepted to be tens of billions of Euros.The majority of issuing banks believe that they will be ready for 14th September to comply with the regulations, at least to the extent that they

avoid immediate sanctions, however the customer experience is far from ideal and would lead to a high level of declined or abandoned transactions.

ERA joined other industry specialists, pressure groups and suppliers to influence the European Regulator (EBA) and FCA, its UK delegate National Competent Authority, and the UK government (through a question in the House of Commons) to take action to avoid a catastrophic implementation and loss of business for merchants.

Reflecting the challenges faced by banks, the EBA therefore also authorised national regulators to delay the application of sanctions against Payment Service Providers (card issuing banks, acquirers and other third parties) for non-compliance with SCA, as long as they have robust plans to become compliant as soon as possible.

4

5

Responses of key European CAs

FRANCE9 Jul

Up to 3 year migratory plan, but most transactions to be compliant by Dec. 2020. Goal to move to largely move away from one time passwords via SMS by June 2021.

The illustration below shows responses that range from detailed plans to confirmation that a plan will be put in place. Some countries (Norway amongst them) are believed to wish to implement fully on 14th September. A Europe-wide plan is hoped for, but is easier said than done.

ITALY6 Aug

A migration period (period as yet unspecified) with the status quo processes acceptable during the migration period.

UK20 Aug

A detailed migration plan (Managed Rollout) published with timelines. Status quo until 1st Feb 2020. Note the plan to move from SMS OTP as biometric technologies come online.

POLAND19 Aug

Will indicate details of the migration timeline after 14th September.

IRELAND8 Aug

A limited migration period) – expected to follow UK plans

HOLLAND13 Aug

Limited extra time to be allowed, plan to follow.

GERMANY21 Aug

A limited migration period with details to follow.

6

Is this all about online payments?

A large part of the focus has been on online payments, but other transactions will see disruption as well.

Face to Face transactions

In the UK, the plan says that the Managed Rollout applies only to e-commerce, so these are in scope.

SCA will be required, typically this will be in the form of chip and pin, though potentially other methods if the card presented is on a phone app.

Contactless transactions are exempt provided that they are for under 50 Euros and cumulatively no more than 5 contactless transactions or 150 Euros worth have taken place since the last full SCA authentication.

However: 1. Some large issuers’ cards and merchants’

payment systems are not able to monitor the cumulatively requirements, so issuers may be forced to step all contactless transactions (with the exception of those on transport systems) for 2-factor authentication.

2. Whilst ‘step up messaging’ is available so the terminal simply asks the customer to use chip & pin, many terminals have not been or cannot be updated to process this instruction, so transactions are simply declined.

We have already seen increased levels of declined contactless transactions as bank have rolled out and test new systems.

Recurring transactions

Recurring transactions continue to cause confusion. What is known is:

Recurring transactions for the same amount to the same merchant (e.g. subscriptions) are out of scope for SCA providing the first transaction took place using SCA and a separate contract is in place permitting the payments. These are termed Merchant Initiated Transactions (MITs).

Some allowance may be made where a second payment is collected perhaps as part of fulfilling an initial order, but there remains debate on how this will operate.

Clarification is needed on whether recurring payments for different amounts will require SCA.

Where the recurring transaction was in place for a set amount prior to 14th September but the first transaction was not SCA compliant, there is provision for this to be allowed to continue – however these transactions would need to be flagged as such by the merchant’s providers.

in the UK, the plan says that

the Managed Rollout applies

only to e-commerce, so these

are in scope.

7

What does this mean for merchants?Although the news headlines have been of a delay in implementation of Strong Customer Authentication, this is clearly an over-simplification.

All advice within the market is for merchants to push ahead with preparations as soon as possible. We recommend that all merchants contact their acquirer to confirm what they need to do and when The likely impact of the change is hard to assess.

7

8

What are the UK timelines?

3D secure V2

14 Sept 20191 Feb 2020

14 Mar 2020

14 Sept 2020

14 Mar 2021

18 MONTHSOperational Readiness

Existing deadlineCompliance Point 1

14 September is the existing deadline, we

propose there is a managed rollout. On the this date, issuers would

continue to step up transactions as they do

today and will not decline just becaus

transactions aren’t SCA compliant. In other

words, the status quo will apply.

Step Ups Commence

From 1 February 2020, issuers will begin to step up transactions (in active

collaboration with merchants) using both

risk based authentication (RBA) and OTP where

available. Merchants will begin more widley �agging in an SCA

compliant way

Compliance Point 2

By point 2, there should be wider certainty on

regulatory requirements as well as greater

technological readiness. By this point, issuers will be able to cater fully for

3DS v2.X. Merchants that were already aware of

requirements should be testing actively with v2.1

and 2.2 of 3DS. We propose focus here is

given to the awareness of small merchants to ensure

they are aware they will need to begin the path to

SCA readiness if they havent already.

Compliance Point 3

By review point 3, adoption rates will

continue to increase and products will begin to be

rolled out on a mass scale, there is still need

for time for smaller merchants to

implement. Suggested focus on customer

readiness.

EU Wide 3DS 2.2/2.1 Mandate

We are currently proposing that there is a

card scheme mande in September 2020 to

encourage merchants towards migration. The

format of the mandate is still under discussion to

ensure it provides the best incentive to

merchants, current assumption is this should

point to adoption, not active use. As the step

from 3DS v1 to 2 is signi�cant for merchants

and testing is required.

Active supervision Issuers decline

On the 14 March 2021, we propose that active

supervision begins, we also propose that issuers

begin declining those transactionsthat are

straight to authorisation (that are not �agged or

subject to exemptions or exceptions under RTS). This o�ers a substaintal

incentive to all to migrate in a timely manner. OTP

solutions and mobile banking based solutions

will be ready. Behavioural biometrics + OTP should

be delivered (will be reviewed throughout).

Proposed managed rollout Overall high level timelines for the roadmap

3DV secure V2 is an industry standard solution developed by Visa, MasterCard, American express and others.

The new 3DSv2 requires up to 10 times as much data to be collected and passed through the transaction process. However, despite this the user experience is very significantly better than 3DSv1 and it is expected to result in higher acceptance levels than any other SCA method.

There are several versions of 3DSv2. The entry level 3DSv2.0 offers only basic exemptions but can pass

through sufficient data to make it more likely that an issuer will trigger an exemption as they are confident that the customer is who they say they are.

Later versions (3DSv2.2 is in testing) include more exemption capability and biometrics.

Within the UK plan is to move towards ‘inherence’ authentication (biometrics based on a physical feature or known behavioural trait, perhaps) within 18 months.

Current approach applies

Clarity onexemption flags

Learning periodfor implementation

Operational readiness/Issuer beahavioural solution

8

9

What do merchants need to do to allow the additional information flows?

This will depend on how their websites are set up. It is expected that where the merchant is using their provider’s hosted payment page (HPP) this will manage much of the required change for them.

Acceptance levels and acceptance of requests to trigger exemptions are expected to be optimised where most information is provided. We strongly recommend that merchants consult their acquirer and payment gateway on:

• What version of 3D Secure they plan to offer and when will they implement more advanced versions?

• Which exemptions will be best to use after 14th September and when will the supplier be ready to process them?

• What information needs to be passed through to optimise use of exemptions, balancing this with fraud exposure?

• What is the merchant’s profile of transactions by card issuing bank over the past 12 months?

• What is the merchant’s profile of transactions by card issuing bank over the past 12 months?

• What is the acquirer’s current Reference Fraud Rate and what level of Exemption Threshold Value (ETV) can they offer under the Transaction Risk Analysis exemption (expected to be the most popularly used exemption)? How does this compare the merchants’ transaction profile?

Merchants will see a loss of control over the customer payment process at the end of online purchases as it is the card issuer who has final say on:

The system allows merchants to request exemptions to be applied by flagging transactions with appropriate coding.It should be noted that where an exemption is applied the transaction risk does not pass to the card issuer, so ac-quirers may pass chargebacks through to merchants.

The most common method of achieving SCA compliance is expected to be to use 3D Secure. The current version 3DSv1 is clunky however, so around 60% of merchants have elected not to use it to date.

Who’s in control of the payment process?

whether to trigger full SCA (step-up)

what method(s) of authentication they will allow

what that authentication user experience is

1 2 3

10

What does this mean for my business?

The ‘delay’ to SCA avoids a cliff-edge payments crisis on 14th September but extends the period of disruption for at least 18 months. In the end payments should be more secure and simpler.

The word ‘Roadmap’ brings to mind roadworks – essential to be carried out but causing significant frustration and inconvenience while they are going on. As a merchant we recommend you should engage early with your acquirer and gateway to consider, amongst other factors, such as cost:

Risk

• What level of risk do my transactions carry?

• What level of chargebacks is acceptable to me?

• How can I make my business more attractive to providers who want to keep their ETV low?

Trading countries

• Which countries do I trade with and what is the transaction profile (e.g. average transaction value, level of returns, chargeback rate) for these transactions?

• For my top 5 or 10 countries, what has the national Competent Authority communicated on their transmission arrangements?

How important is friction to my sales performance?

• For some merchants an extra step in the payment process will see sales drop. For others, customers will barely notice.

• In the UK, until 1st February, it may be that not using 3DS will minimise friction.

• After that a tipping point will be reached with increased friction due to increased decline rates as step ups are not possible.

• An advanced version of 3DSv2 is likely to provide the most frictionless experience as the roadmap moves forward.

• Consider ensuring the most advances solution is in place, triggering it when the tipping point is reached.

Cost implications

Meeting SCA requirements will carry a development cost for all online merchants. This is frustrating for those who are comfortable with their current business model and risk levels.

Some providers are already trying to implement ‘SCA fees’ on top of the cost increases they face from Visa and MasterCard expected new or increased 3D Secure fees.

Negotiating the level of fee passed on by acquirers may be complex for many merchants as Visa and MasterCard typically do not publish their Scheme fees and acquirers may use confusing titles for the charges.

We recommend that merchants watch out for any tariff change notice and decide quickly whether and how to challenge them, as typically merchant agreements provide a time limit for such challenges to release you from your agreements.Q

11

ERA’s 8-strong European Payments Team specialists are drawn from senior banking and payments roles. We have developed tools and techniques to demystify the often confusing tariff and invoice structures of acquirers and gateways.

We enjoy strong relationships with all suppliers due to the leverage provided by our expertise and client base, and as we are fiercely independent of all suppliers, being paid only by our clients.

Whether you aim to reduce your payment fees, to develop a robust payment solution to support your sales strategy, or any point in between, our clients attest to the value of the resource, expertise and influence we provide to deliver results.

How can ERA help?

11

ERA’s specialist Payments Team has already advised many clients on strategies to optimise their cost and service provision. We would be happy to discuss your Merchant Card Fees with you. Please contact us for further details.

Search Paul Davidson, Steve Whitlam and Paul Lucraft Profiles on the ERA website.

expensereduction.com

TM