MRC PSD2/SCA Summit 2021 – Where are we now?

The MRC recently held a full day, virtual Summit on the topic of PSD2 SCA. Why? Because it remains fascinating for all players in the card payments industry. Some of us have worked on the regulation for several years, while industry newcomers are hearing about the regulatory requirements for the first time. Either way, the key point from the Summit was answering the following question: when implementing PSD2 SCA regulations, how do we best avoid friction for the consumer?

Consequently, two representatives from different EU Regulators discussed the necessity for good planning. Their key message was that preparation is a must, which includes gathering all relevant organisations together (merchants, card issuers, acquirers, PSPs, and consumer groups) to discuss what the regulation means and its impact on each party, especially the consumer. 

Additionally, many EU financial authorities provided some flexibility on the compliance date by allowing a phased approach that was published in their national roadmaps. However, although this is a positive move, it also introduced a lack of consistency across the board, which caused some complexity for merchants to deploy the relevant authentication requirements. The MRC produced a schedule outlining the various EU country roadmaps. 

The Summit also provided insights from international card schemes who stated the SCA ramp up in Europe is well under way, The Regulation was scheduled to be enforced from 31 December 2020. In Germany, for instance, the enforcement date was pushed to March, while for Italy, France, and Belgium to April 2021. On the other side, the UK, since being outside of the EU, has been able to push out their compliance enforcement date to March 2022. 

Furthermore, according to CMSPI data gathered between January and April 2021, transaction declines have been high in some countries. Data on challenge rates* show Denmark, Belgium, and Norway had a particularly high volume, where the card issuers challenged customers and declined the authentication method received. Their findings on the issuer challenges showed issuers were not accepting auth stand-ins, they lacked 3DS enrolment, they were misinterpreting incoming merchant data, and their ACS partners were creating time outs and abandonments.

*Authentication – Challenge Rates

Source: CMSPI Estimates

Moreover, for one card scheme, 75% of decline rates were due to merchants sending in-scope transactions straight to authorisation so they were unable to respond to a soft decline option. 16% were related to recurring billing, where merchants were not sending the original transaction ID. Additionally, up to 9% of declines related to the quality of data sent, where ecommerce, MOTO, and MIT data formats were not always correct. 

Overall, while merchants and card issuers both declared being ‘ready’, the general conclusion was that testing is essential. Consequently, aligned thinking and collaboration are key to the success of all parties’ ability to comply with the regulation on time. 

Regarding merchants, their card payment processors, and issuers, the important things to focus on are EMV 3DS adoption, looking at out-of-scope transactions, exemptions and soft decline responses. Interestingly, some acquirers and merchants sought alternatives to EMV 3DS due to the lack of readiness in their markets. For example, Vipps in Norway uses a signature ID solution because they wanted an alternative to the likely negative experience for consumers. In comes delegated authentication, where they implemented their own authentication factors, retained control of the consumer experience, avoided inconvenience, and kept customers happy. The key was to simplify the transaction process, and we already see that drop off rates are drastic when using the banking solutions. Vipps leveraged authentication factors on smart phones by using the secure enclave on the device (possession of the phone), inherent knowledge (PIN or biometrics) – which are all securely stored on the device.

Furthermore, within PSD2, issuers are obliged to authenticate their cardholder but are permitted to outsource the task to a third party. Visa has a framework around delegated authentication and the infrastructure can pass from the merchant to the issuer. Within the authorisation, there are flags that indicate a pre-authenticated transaction, with a delegate within the programme, the third party is authenticated, and the transaction processed correctly. Vipps went for the tokenisation rather than EMV 3DS route because user experience was of most importance. In the first 2 months, they saw a 97% success rate (full approvals, including Vipps authentication, the delegated authentication plus the card payment authentication). In addition, there were no negative consequences, and the benefit was a lift in authorisation approval rates.

Overall, while it’s good for the industry to have time to educate merchants and consumers, its fair to say we all want SCA requirements to be in place now, so we can witness the impact of expected reduced fraud levels across the ecommerce ecosystem. More importantly we want consumers to trust the system and enjoy an easy purchase experience while also keeping fraudsters out of merchants’ pockets.

About Úna Dillon

Úna has worked in the payments industry for more than 25 years, she has chaired industry working groups, ran Laser Card (Irish national debit card scheme) for 12 years, and was responsible for driving the development of policy on major initiatives such as SEPA. She was appointed to the European Commission Payment Systems Market Expert Group (PSMEG) and brings the Voice of the Merchant to the Regulator’s table.

About MRC 

The MRC is a global membership organisation connecting ecommerce fraud and payments professionals through educational programmes, online forums, career development, conferences, and networking events. The MRC encompasses a membership network of over 500 companies including 350+ merchants, all focused on fraud prevention, payments optimisation, and risk management. Hear our members share the value of MRC collaboration.