What is SCA? · What is SCA? The new EU Payments Services Directive (PSD2) took effect in January...
Transcript of What is SCA? · What is SCA? The new EU Payments Services Directive (PSD2) took effect in January...
What is SCA?
TM expensereduction.com
A guide to Strong Customer Authentication& how it effects your business.
2
“
What is SCA?The new EU Payments Services
Directive (PSD2) took effect in
January 2018, bringing in new laws
aimed at enhancing consumer rights
and reducing online fraud.
A key element of PSD2 is the
introduction of additional
security authentications for online
transactions over €30, known as
Strong Customer Authentication
(SCA). It means customers will no
longer be able to checkout online
using just their credit or debit
card details, they will also need to
provide an additional form
of identification.
This report will give an overview of
the new SCA regulations and what
they mean for online retailers.
2
3
Why is SCA needed?
Payment fraud losses have been steadily increasing for
nearly a decade with little sign of easing. The European
Commission has intervened by placing SCA requirements
on participants to reduce fraud as one of the core
components of PSD2.
The original deadline for implementing SCA was
14 September 2019, by which point all ecommerce
transactions were due to be processed via secured
industry protocol such as 3D Secure. Online transactions
would need additional authentication (with some
exemptions).
However, following the European Banking Authority (EBA)
announcement on 21 June 2019, the Financial Conduct
Authority (FCA) has agreed to a phased roll-out plan to
move the UK to full compliance by 14 March 2021.
3
4
ERA Reflections In contrast to other sections of this report, which is analysis and fact driven, this section contains informed opinion and reflections of the author and is provided in strict confidence to you, as our client, to help you plan your banking and payment solutions for the future.
Strong Customer Authentication breathing space – or is it?
As previously reported the payments industry was extremely concerned at the lack of readiness of banks, acquirers and other Payment Service Providers for the changes on 14th September 2019. Even two months before the deadline:
• 80% of consumers were unaware of the forthcoming changes (MasterCard research)
• less than 40% of UK merchants were confident of being ready (Stripe & 415 Research).
• 75% of merchants across Europe were unaware of the requirements (UK Finance).
The year 1 lost business potential has been generally accepted to be tens of billions of Euros.The majority of issuing banks believe that they will be ready for 14th September to comply with the regulations, at least to the extent that they
avoid immediate sanctions, however the customer experience is far from ideal and would lead to a high level of declined or abandoned transactions.
ERA joined other industry specialists, pressure groups and suppliers to influence the European Regulator (EBA) and FCA, its UK delegate National Competent Authority, and the UK government (through a question in the House of Commons) to take action to avoid a catastrophic implementation and loss of business for merchants.
Reflecting the challenges faced by banks, the EBA therefore also authorised national regulators to delay the application of sanctions against Payment Service Providers (card issuing banks, acquirers and other third parties) for non-compliance with SCA, as long as they have robust plans to become compliant as soon as possible.
4
5
Responses of key European CAs
FRANCE9 Jul
Up to 3 year migratory plan, but most transactions to be compliant by Dec. 2020. Goal to move to largely move away from one time passwords via SMS by June 2021.
The illustration below shows responses that range from detailed plans to confirmation that a plan will be put in place. Some countries (Norway amongst them) are believed to wish to implement fully on 14th September. A Europe-wide plan is hoped for, but is easier said than done.
ITALY6 Aug
A migration period (period as yet unspecified) with the status quo processes acceptable during the migration period.
UK20 Aug
A detailed migration plan (Managed Rollout) published with timelines. Status quo until 1st Feb 2020. Note the plan to move from SMS OTP as biometric technologies come online.
POLAND19 Aug
Will indicate details of the migration timeline after 14th September.
IRELAND8 Aug
A limited migration period) – expected to follow UK plans
HOLLAND13 Aug
Limited extra time to be allowed, plan to follow.
GERMANY21 Aug
A limited migration period with details to follow.
6
Is this all about online payments?
A large part of the focus has been on online payments, but other transactions will see disruption as well.
Face to Face transactions
In the UK, the plan says that the Managed Rollout applies only to e-commerce, so these are in scope.
SCA will be required, typically this will be in the form of chip and pin, though potentially other methods if the card presented is on a phone app.
Contactless transactions are exempt provided that they are for under 50 Euros and cumulatively no more than 5 contactless transactions or 150 Euros worth have taken place since the last full SCA authentication.
However: 1. Some large issuers’ cards and merchants’
payment systems are not able to monitor the cumulatively requirements, so issuers may be forced to step all contactless transactions (with the exception of those on transport systems) for 2-factor authentication.
2. Whilst ‘step up messaging’ is available so the terminal simply asks the customer to use chip & pin, many terminals have not been or cannot be updated to process this instruction, so transactions are simply declined.
We have already seen increased levels of declined contactless transactions as bank have rolled out and test new systems.
Recurring transactions
Recurring transactions continue to cause confusion. What is known is:
Recurring transactions for the same amount to the same merchant (e.g. subscriptions) are out of scope for SCA providing the first transaction took place using SCA and a separate contract is in place permitting the payments. These are termed Merchant Initiated Transactions (MITs).
Some allowance may be made where a second payment is collected perhaps as part of fulfilling an initial order, but there remains debate on how this will operate.
Clarification is needed on whether recurring payments for different amounts will require SCA.
Where the recurring transaction was in place for a set amount prior to 14th September but the first transaction was not SCA compliant, there is provision for this to be allowed to continue – however these transactions would need to be flagged as such by the merchant’s providers.
in the UK, the plan says that
the Managed Rollout applies
only to e-commerce, so these
are in scope.
7
What does this mean for merchants?Although the news headlines have been of a delay in implementation of Strong Customer Authentication, this is clearly an over-simplification.
All advice within the market is for merchants to push ahead with preparations as soon as possible. We recommend that all merchants contact their acquirer to confirm what they need to do and when The likely impact of the change is hard to assess.
7
8
What are the UK timelines?
3D secure V2
14 Sept 20191 Feb 2020
14 Mar 2020
14 Sept 2020
14 Mar 2021
18 MONTHSOperational Readiness
Existing deadlineCompliance Point 1
14 September is the existing deadline, we
propose there is a managed rollout. On the this date, issuers would
continue to step up transactions as they do
today and will not decline just becaus
transactions aren’t SCA compliant. In other
words, the status quo will apply.
Step Ups Commence
From 1 February 2020, issuers will begin to step up transactions (in active
collaboration with merchants) using both
risk based authentication (RBA) and OTP where
available. Merchants will begin more widley �agging in an SCA
compliant way
Compliance Point 2
By point 2, there should be wider certainty on
regulatory requirements as well as greater
technological readiness. By this point, issuers will be able to cater fully for
3DS v2.X. Merchants that were already aware of
requirements should be testing actively with v2.1
and 2.2 of 3DS. We propose focus here is
given to the awareness of small merchants to ensure
they are aware they will need to begin the path to
SCA readiness if they havent already.
Compliance Point 3
By review point 3, adoption rates will
continue to increase and products will begin to be
rolled out on a mass scale, there is still need
for time for smaller merchants to
implement. Suggested focus on customer
readiness.
EU Wide 3DS 2.2/2.1 Mandate
We are currently proposing that there is a
card scheme mande in September 2020 to
encourage merchants towards migration. The
format of the mandate is still under discussion to
ensure it provides the best incentive to
merchants, current assumption is this should
point to adoption, not active use. As the step
from 3DS v1 to 2 is signi�cant for merchants
and testing is required.
Active supervision Issuers decline
On the 14 March 2021, we propose that active
supervision begins, we also propose that issuers
begin declining those transactionsthat are
straight to authorisation (that are not �agged or
subject to exemptions or exceptions under RTS). This o�ers a substaintal
incentive to all to migrate in a timely manner. OTP
solutions and mobile banking based solutions
will be ready. Behavioural biometrics + OTP should
be delivered (will be reviewed throughout).
Proposed managed rollout Overall high level timelines for the roadmap
3DV secure V2 is an industry standard solution developed by Visa, MasterCard, American express and others.
The new 3DSv2 requires up to 10 times as much data to be collected and passed through the transaction process. However, despite this the user experience is very significantly better than 3DSv1 and it is expected to result in higher acceptance levels than any other SCA method.
There are several versions of 3DSv2. The entry level 3DSv2.0 offers only basic exemptions but can pass
through sufficient data to make it more likely that an issuer will trigger an exemption as they are confident that the customer is who they say they are.
Later versions (3DSv2.2 is in testing) include more exemption capability and biometrics.
Within the UK plan is to move towards ‘inherence’ authentication (biometrics based on a physical feature or known behavioural trait, perhaps) within 18 months.
Current approach applies
Clarity onexemption flags
Learning periodfor implementation
Operational readiness/Issuer beahavioural solution
8
9
What do merchants need to do to allow the additional information flows?
This will depend on how their websites are set up. It is expected that where the merchant is using their provider’s hosted payment page (HPP) this will manage much of the required change for them.
Acceptance levels and acceptance of requests to trigger exemptions are expected to be optimised where most information is provided. We strongly recommend that merchants consult their acquirer and payment gateway on:
• What version of 3D Secure they plan to offer and when will they implement more advanced versions?
• Which exemptions will be best to use after 14th September and when will the supplier be ready to process them?
• What information needs to be passed through to optimise use of exemptions, balancing this with fraud exposure?
• What is the merchant’s profile of transactions by card issuing bank over the past 12 months?
• What is the merchant’s profile of transactions by card issuing bank over the past 12 months?
• What is the acquirer’s current Reference Fraud Rate and what level of Exemption Threshold Value (ETV) can they offer under the Transaction Risk Analysis exemption (expected to be the most popularly used exemption)? How does this compare the merchants’ transaction profile?
Merchants will see a loss of control over the customer payment process at the end of online purchases as it is the card issuer who has final say on:
The system allows merchants to request exemptions to be applied by flagging transactions with appropriate coding.It should be noted that where an exemption is applied the transaction risk does not pass to the card issuer, so ac-quirers may pass chargebacks through to merchants.
The most common method of achieving SCA compliance is expected to be to use 3D Secure. The current version 3DSv1 is clunky however, so around 60% of merchants have elected not to use it to date.
Who’s in control of the payment process?
whether to trigger full SCA (step-up)
what method(s) of authentication they will allow
what that authentication user experience is
1 2 3
10
What does this mean for my business?
The ‘delay’ to SCA avoids a cliff-edge payments crisis on 14th September but extends the period of disruption for at least 18 months. In the end payments should be more secure and simpler.
The word ‘Roadmap’ brings to mind roadworks – essential to be carried out but causing significant frustration and inconvenience while they are going on. As a merchant we recommend you should engage early with your acquirer and gateway to consider, amongst other factors, such as cost:
Risk
• What level of risk do my transactions carry?
• What level of chargebacks is acceptable to me?
• How can I make my business more attractive to providers who want to keep their ETV low?
Trading countries
• Which countries do I trade with and what is the transaction profile (e.g. average transaction value, level of returns, chargeback rate) for these transactions?
• For my top 5 or 10 countries, what has the national Competent Authority communicated on their transmission arrangements?
How important is friction to my sales performance?
• For some merchants an extra step in the payment process will see sales drop. For others, customers will barely notice.
• In the UK, until 1st February, it may be that not using 3DS will minimise friction.
• After that a tipping point will be reached with increased friction due to increased decline rates as step ups are not possible.
• An advanced version of 3DSv2 is likely to provide the most frictionless experience as the roadmap moves forward.
• Consider ensuring the most advances solution is in place, triggering it when the tipping point is reached.
Cost implications
Meeting SCA requirements will carry a development cost for all online merchants. This is frustrating for those who are comfortable with their current business model and risk levels.
Some providers are already trying to implement ‘SCA fees’ on top of the cost increases they face from Visa and MasterCard expected new or increased 3D Secure fees.
Negotiating the level of fee passed on by acquirers may be complex for many merchants as Visa and MasterCard typically do not publish their Scheme fees and acquirers may use confusing titles for the charges.
We recommend that merchants watch out for any tariff change notice and decide quickly whether and how to challenge them, as typically merchant agreements provide a time limit for such challenges to release you from your agreements.Q
11
ERA’s 8-strong European Payments Team specialists are drawn from senior banking and payments roles. We have developed tools and techniques to demystify the often confusing tariff and invoice structures of acquirers and gateways.
We enjoy strong relationships with all suppliers due to the leverage provided by our expertise and client base, and as we are fiercely independent of all suppliers, being paid only by our clients.
Whether you aim to reduce your payment fees, to develop a robust payment solution to support your sales strategy, or any point in between, our clients attest to the value of the resource, expertise and influence we provide to deliver results.
How can ERA help?
11
ERA’s specialist Payments Team has already advised many clients on strategies to optimise their cost and service provision. We would be happy to discuss your Merchant Card Fees with you. Please contact us for further details.
Search Paul Davidson, Steve Whitlam and Paul Lucraft Profiles on the ERA website.
expensereduction.com
TM