Responding to the most asked questions about 3DS 2.0 SCA implementation

Introduction

The PSD2/SCA regulatory technical standards will apply as of tomorrow. Yet a significant number of countries announced a phased implementation plan. For most countries the exact length and scope of the delay have not yet been defined. In some countries, such as Poland, Norway, and Luxembourg banks will need to contact the regulator directly to secure this delay. The UK regulator announced an 18-month phase-in period to give banks and businesses more time to prepare for these new requirements.

There are still a lot of questions about the impact and implementation. The Paypers sat down with an expert from Adyen to get answers on the most pressing questions of our readers.

Delay enforcement

How should merchants prepare for a phased and fragmented enforcement of SCA in the European Economic Area? And how can a PSP support merchants in this matter?

Well likely see a gradual rollout of SCA requirements and a lot will depend on the migration plans that are agreed upon in each country and even each bank’s policies.

Our advice is to be prepared for SCA in all required instances starting 14 September, but to also make sure that you have dynamic authentication technology in place. Some issuing banks may decide to strictly follow regulatory guidance, either due to their policies or the guidance of their regulators, and over the coming months and years, more banks will require SCA. For banks not yet requiring SCA, you can, and probably should avoid additional authentication friction where it’s not mandated.

Our company has in place authentication optimization solutions designed for this, which keep track of bank-specific preferences, identifying banks that are requiring SCA, both 3DS1 and 3DS2, and those that are not. Businesses are finding this dynamic approach to authentication less impactful to their revenue than simply going ‘live’ with SCA across all of their traffic on the 14th.

Are you aware of any National Competent Authorities (NCAs) that require confirmed card issuers to implement the SCA RTS to the letter of the law by 14 September?

There was nothing announced in this regard. There have been countries where the national supervisory body hasn’t been very clear about a delay, or have refrained from making any statement at all. This is why the best advice for businesses is to be ready to implement SCA across the EEA and to have technology with the ability to make dynamic decisions on an issuing bank level.

Liability

What happens if the cardholder’s bank does not support the 3DS 2.0 functionality on 14 September?

The bank may take advantage of the regulatory delay. In this case, it’s “business as usual” and we wouldn’t expect the behaviour of that bank to change. If a bank decides to go ahead and make SCA a requirement without being 3DS 2.0 ready, 3DS 1 will generally be the only option to authenticate shoppers with credit/debit cards.

^{[click to enlarge]}

We expect most issuing banks to not be 3DS 2.0 ready on 14 September. We do, however, anticipate that the proportion of banks offering 3DS 2.0 over time will improve. That’s why having an intelligent, dynamic 3DS system in place is important - as soon as 3DS 2.0 becomes available for a bank, it should be used, as it is expected to offer significant conversion benefits.

What is the fall back scenario? Can merchants still benefit from the liability shift under such circumstances? Do all the card schemes apply the same rules in this matter?

In Europe, if a shopper goes through a full 3D Secure flow (3DS 1.0 or 2.0), the liability can shift to the issuing bank. The benefit for businesses depends on the card scheme, region, implementation timelines and a range of other scenarios. Businesses should check with their PSPs if they’re interested to learn more about global liability shift rules.

Exemptions

Transaction Risk Analysis (TRA) exemption allows for certain transactions to be exempted from SCA, provided a robust risk analysis is performed and the Payment Service Provider meet specific fraud thresholds. Can both the Payment Service Provider (acquirer) and Card issuer apply the TRA exemption? Are card issuers and PSPs/acquirers required to communicate their fraud ratios to merchants and cardholders, respectively?

Both the issuing bank and business/acquirer can apply the TRA exemption if their fraud rates are sufficiently low, but in the end, its the issuing bank that decides whether to challenge the shopper or not. We expect many banks to embrace the TRA exemption, both because it is good for their cardholders experience and because liability is with the business in cases where the merchant’s acquirer requests a TRA exemption.

Banks are required to provide their TRA approach to supervisory bodies, but not to businesses and end consumers. Businesses should understand what TRA approach their PSP has, so they can work together on an approach that makes sense for their customers.

Whitelisting

Under the SCA rules, consumers will have the right to “whitelist” trusted beneficiaries - i.e., the businesses they trust -- allowing card issuers to exempt the transaction from SCA requirements. How exactly does whitelisting work? Are card issuers required to offer this exemption? Can all merchants benefit from this exemption?

When a shopper gets an SCA challenge, it’s as easy as ticking a box to say that they don’t want this site to challenge them in the future. Businesses that work with whitelisting-ready 3D Secure providers, such as Adyen, get whitelisting from the get-go. Most issuing banks are expected to start supporting whitelisting flows in 2020 with the implementation of the updated version 3DS2, version 2.2.

In a scenario where a cardholder is able to whitelist a merchant yet the cardholder also commits friendly fraud, who is liable for this?

The business is liable for any chargebacks unless the shopper went through an authenticated 3DS flow. Businesses have the option to not use the whitelisting flow and to step up in cases of suspected friendly fraud.

Cost

What charges will be levied by card schemes, card issuers and PSPs for SCA and 3DS2.0 and who pays them?

Next to the regular interchange and scheme fees charged to businesses for a transaction, additional fees may apply if 3DS1 or 3DS2 is used, either from their acquirer or the card scheme itself. Businesses should check with their acquirers to get information on 3DS-specific scheme fees.

Impact analysis

Payment managers have been asked to carry out a PSD2/SCA impact analyses for their boards. When it comes to drop off rates and authorization rates, what verticals and markets are likely to be most impacted and how?

SCA requirements under PSD2 will have an impact on the bottom line. So, it’s worth considering what business models will be most impacted, and how.

The fewer exemptions a business can take advantage of, the more impact we anticipate. Those with lower average transaction values, for example, will be less impacted than businesses with a higher transaction value who can’t take advantage of the low-value exemption. Higher Average Transaction Value (ATV) ecommerce businesses and travel will be heavily impacted.

Less obvious is the impact that SCA will have on subscription-based businesses. While recurring transactions are exempted/out-of-scope, in many cases theyll need to authenticate at the shoppers sign up stage. Applying this authentication to all new customer sign-ups will heavily impact those who operate under a ‘free trial’ model.

All in all, there will be very few business models that escape the impact of PSD2/SCA. Our advice to businesses is to work with a 3DS provider who can intelligently apply the best authentication technology for transactions only when required/necessary and optimize on exemptions and out-of-scope treatment of transactions.

About Ruben Woelders

Finding opportunities, moving quick to act on them and showing value to merchants are the main pillars of Ruben Woelders’ work as a Product Manager at Adyen. Specialized in revenue optimization products, and using technologies such as 3D Secure and Network Tokenization, he has extensive knowledge in using data to help optimize the payment flow — from authorization rates, to authentication/conversion, and cost. Most recently Ruben has been responsible for product development of Adyen’s machine-learning based Authentication Engine and has helped some of the todays leading brands to navigate PSD2 complexity with ease.

About Adyen

Adyen is the payments platform of choice for many of the world’s leading companies, providing a modern end-to-end infrastructure connecting directly to Visa, Mastercard, and consumers globally preferred payment methods. Adyen delivers frictionless payments across online, mobile, and in-store channels. With offices across the world, Adyen serves customers including Facebook, Uber, Spotify, and Joe & The Juice.