MRC advocates extension as SCA enforcement deadline approaches

MRC and our members are excited about the promise of SCA and EMV^® 3-D Secure (EMV 3DS). Improved security for consumers, fewer fraudulent transactions, and increased authorisation rates are what we all want. Prior to the COVID-19 pandemic, the industry made progress to hit the European Banking Authority (EBA) enforcement deadline. Unfortunately, between the pandemic and the economic downturn, we believe the industry will not be ready by the current deadline of 31 December 2020. 

Advocacy is of tremendous importance to MRC merchant members as the payments industry becomes more regulated than ever before. The MRC's advocacy work is focused on several key areas, one of them being a strong collaboration with the card networks, enabling us to get advanced notifications about new mandates and providing the merchant voice regarding changes before they come into effect. 

In May, we began talking to merchants and issuers about their readiness concerns and sent letters to the EBA and to the European Commission (EC) to reflect real concerns. We also co-signed an industry letter from the European Payment Institutions Federation (EPIF) to the EC and EBA. 

As we spoke with members about the challenges of EMV 3DS, one of our card issuing members shared that with significant growth in ecommerce caused by COVID-19, many new merchants are pivoting from card present sales to ecommerce transactions and there have been notable speed bumps. They shared one story that really drove home the issue, specifically where a consumer placed an order for groceries for curbside pickup, the transaction failed on the day of pickup and the consumer was unable to collect their groceries. We need to remember, as we look at the data, each decline of a good consumer is not just a statistic, but a person who needs goods or services during a global pandemic. 

The EC replied stating the deadline would not be moving. Two of our merchant members, Microsoft and Amazon, have created EMV 3DS implementation scorecards for the EU region that show, by country, the acceptance rates as well as many other key metrics. We provided these scorecards to the EBA, EC as well as to many National Conduct Authorities (NCAs). Scorecards can be requested from the MRC. 

Microsoft published their methodology on creating the scorecard and we can now facilitate briefings for regulators and issuers to view monthly country scorecards for Microsoft, Amazon, Google, and Sony Interactive Entertainment.

Measuring the impact of enforcing EMV 3DS and understanding the consumer impact is critical. Data tells the real story, and 4 major merchants, Amazon, Microsoft, Sony Interactive Entertainment, and Google data tell similar stories; the industry is not ready with EMV 3DS implementation. The consumer will suffer when they can’t purchase online. 
There are three main areas of concern around enforcement from the current deadline: 

1. While implementation has been improving, there are still fundamental failures in the system. Based on current dashboards from a few merchant members in several countries, such as France, Belgium, and Italy, we would predict that 1 out of every 4 authentication attempts would fail. 
2. While orders placed through a web browser are seeing reasonable performance in several countries, orders through mobile applications or game consoles in most countries still simply do not work, as many issuers are relying on falling back to 3DS 1.x which is not designed to work with mobile apps and consoles. 
3. The deadline is at a very bad moment for merchants and issuers – in addition to the global pandemic slowing things down as volumes have more than doubled for many ecommerce merchants and issuers and the technology focus has been on scaling, it is also important to note that most issuers and merchants have code freezes between 21 November and 15 January, during the holiday peak season; so if something isn’t working, bugs are identified, and the industry at large will have to wait post the holiday season to implement the changes. 

All these merchants measuring EMV 3DS as part of their implementation proceed with an authorisation even if 3DS authentication fails. 

With data in hand, the MRC began a virtual roadshow with merchant members, to the regulators in each country (NCAs), which are responsible for enforcing the regulation. To date, the MRC has facilitated 18 meetings. In some countries, we have been one of the many voices advocating for concessions and we are relieved to see the deadline shifting. The MRC is coordinating with our merchant community, working with the NCAs and we have published a collaborative calendar of the country deadlines on our website for our merchant members to stay current of the changes. 

MRC also heard from issuers and merchants that it is extremely hard to test and debug problems, so we established a Slack channel, where the community is working together to solve these problems. To sign up for testing with Visa, email them at GCT3DSSUPP@visa.com. To sign up for the Mastercard test platform, visit this page. 

We are educating our members and encouraging them to use the testing platforms Visa and Mastercard have provided. We are fans of SCA and EMV 3DS, and as we review the data today, you will see a lot of great progress. In fact, the UK is a clear leader in the rollout of EMV 3DS and we are pleased that even with the progress being made, the UK recognised the potential risks of implementing the deadlines too early and the UK is the first country to push the deadline to September 2021. Other European countries have now moved their deadlines as well, such as France and Denmark. 

We request that other countries take similar approaches and at the MRC we are ready to work with our members to pull together merchant data for any country or issuer who wishes to benchmark and assess their readiness.

This editorial was published in the Fraud Prevention in Ecommerce Report 2020/2021, the go-to source in securing transactions while offering a frictionless customer journey.

About Julie Fergerson

Julie Fergerson, the newly appointed CEO, has 25+ years of experience in developing, delivering, and promoting Internet-based technologies. She generates collaborations around industry problems and is enthusiastic about new technologies. Julie has a proven track record of bringing key stakeholders together to solve major problems and positioning existing technology to meet the needs of the audience, without changing fundamental value, proving to be a resourceful problem solver.

About Úna Dillon

Úna is a regular public speaker on payments and has chaired working groupsfor organisations including the EPC. She ran Laser Card, the Irish debit card scheme, for 12 years,and was Head of IPSO Card Services, responsible for driving the development of policy on majorinitiatives such as SEPA.

About MRC

The MRC is a global membership organisation connecting ecommerce fraud and payments professionals through educational programmes, online forums, career development, conferences, and networking events. The MRC encompasses a membership network of over 500 companies including 350+ merchants all focused on fraud prevention, payments optimisation, and risk management. Hear our members share the value of MRC collaboration.