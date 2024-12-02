The MRC recently held a full day, virtual Summit on the topic of PSD2 SCA. Why? Because it remains fascinating for all players in the card payments industry. Some of us have worked on the regulation for several years, while industry newcomers are hearing about the regulatory requirements for the first time. Either way, the key point from the Summit was answering the following question: when implementing PSD2 SCA regulations, how do we best avoid friction for the consumer?

Consequently, two representatives from different EU Regulators discussed the necessity for good planning. Their key message was that preparation is a must, which includes gathering all relevant organisations together (merchants, card issuers, acquirers, PSPs, and consumer groups) to discuss what the regulation means and its impact on each party, especially the consumer.

Additionally, many EU financial authorities provided some flexibility on the compliance date by allowing a phased approach that was published in their national roadmaps. However, although this is a positive move, it also introduced a lack of consistency across the board, which caused some complexity for merchants to deploy the relevant authentication requirements. The MRC produced a schedule outlining the various EU country roadmaps.

The Summit also provided insights from international card schemes who stated the SCA ramp up in Europe is well under way, The Regulation was scheduled to be enforced from 31 December 2020. In Germany, for instance, the enforcement date was pushed to March, while for Italy, France, and Belgium to April 2021. On the other side, the UK, since being outside of the EU, has been able to push out their compliance enforcement date to March 2022.

Furthermore, according to CMSPI data gathered between January and April 2021, transaction declines have been high in some countries. Data on challenge rates* show Denmark, Belgium, and Norway had a particularly high volume, where the card issuers challenged customers and declined the authentication method received. Their findings on the issuer challenges showed issuers were not accepting auth stand-ins, they lacked 3DS enrolment, they were misinterpreting incoming merchant data, and their ACS partners were creating time outs and abandonments.

*Authentication – Challenge Rates





Source: CMSPI Estimates

Moreover, for one card scheme, 75% of decline rates were due to merchants sending in-scope transactions straight to authorisation so they were unable to respond to a soft decline option. 16% were related to recurring billing, where merchants were not sending the original transaction ID. Additionally, up to 9% of declines related to the quality of data sent, where ecommerce, MOTO, and MIT data formats were not always correct.

Overall, while merchants and card issuers both declared being ‘ready’, the general conclusion was that testing is essential. Consequently, aligned thinking and collaboration are key to the success of all parties’ ability to comply with the regulation on time.

Regarding merchants, their card payment processors, and issuers, the important things to focus on are EMV 3DS adoption, looking at out-of-scope transactions, exemptions and soft decline responses. Interestingly, some acquirers and merchants sought alternatives to EMV 3DS due to the lack of readiness in their markets. For example, Vipps in Norway uses a signature ID solution because they wanted an alternative to the likely negative experience for consumers. In comes delegated authentication, where they implemented their own authentication factors, retained control of the consumer experience, avoided inconvenience, and kept customers happy. The key was to simplify the transaction process, and we already see that drop off rates are drastic when using the banking solutions. Vipps leveraged authentication factors on smart phones by using the secure enclave on the device (possession of the phone), inherent knowledge (PIN or biometrics) – which are all securely stored on the device.

Furthermore, within PSD2, issuers are obliged to authenticate their cardholder but are permitted to outsource the task to a third party. Visa has a framework around delegated authentication and the infrastructure can pass from the merchant to the issuer. Within the authorisation, there are flags that indicate a pre-authenticated transaction, with a delegate within the programme, the third party is authenticated, and the transaction processed correctly. Vipps went for the tokenisation rather than EMV 3DS route because user experience was of most importance. In the first 2 months, they saw a 97% success rate (full approvals, including Vipps authentication, the delegated authentication plus the card payment authentication). In addition, there were no negative consequences, and the benefit was a lift in authorisation approval rates.

Overall, while it’s good for the industry to have time to educate merchants and consumers, its fair to say we all want SCA requirements to be in place now, so we can witness the impact of expected reduced fraud levels across the ecommerce ecosystem. More importantly we want consumers to trust the system and enjoy an easy purchase experience while also keeping fraudsters out of merchants’ pockets.

