Why it's time for merchants to take control of the road to PSD2 SCA

Thursday 24 September 2020 07:47 CET | Editor: Simona Negru | Interview

Mari-anne Bayliss, Senior Director, Cybersource Regional Solutions, talks to The Paypers about the changes associated with the PSD2 strong customer authentication (SCA) requirement, and why merchants must make sure they're ready by the time it comes into force


As the enforcement period of PSD2 SCA approaches fast, what is the current state of readiness of the various constituents (merchants, issuers, and acquirers) in the ecommerce payments ecosystem?

PSD2 SCA comes into force across the EU on 1 January 2021; and in the UK on 14 September 2021. These dates are already later than originally planned, and the European Banking Authority (EBA) has indicated there won't be any further extensions. So we recommend that all constituents of the ecommerce payments ecosystem should work to these deadlines. 

As a quick reminder: SCA is the strong customer authentication requirement associated with PSD2 (the revised European Payment Services Directive). It's designed to protect customers, merchants, and issuers by helping to prevent fraud on electronic payments. When SCA becomes effective, some payment transactions (when both issuer and acquirer are in the European Economic Area) will need two-factor authentication. If a transaction can't be authenticated, the issuer may decline it. Some transactions will be out of scope, and some in-scope transactions may be exempted by acquirers or issuers.

Although the UK enforcement date is later than the EU date, UK-based merchants who sell to EU customers, or process transactions paid for using EU-issued cards, must be ready by the earlier date of 1 January next year.
For merchants, SCA readiness means they've rolled out the enhanced 3-D Secure protocol — known as EMV® 3-D Secure v2 (EMV® 3DS). I'm pleased to say we're seeing good progress in many regions among merchants, issuers, and acquirers on this front; but there are some variations. We're aware, for example, that many merchants in the UK are ready, while others are still in the early stages of preparing. And across the EU, we're seeing different levels of readiness in different countries. 

What is your advice for merchants whose acquirer isn't ready yet? 

My advice to merchants is: don't let that hold you back! Lack of readiness on the part of an acquirer shouldn't stop a merchant from making every effort to prepare by implementing (or upgrading to) EMV® 3DS. 

Merchants who do the development work now and have EMV® 3DS in place will then be able to go live with it as soon as their acquirers are ready. Merchants should know too that their payment platforms (such as Cybersource) can provide insight into acquirers' readiness for SCA — so don't hesitate to ask.

It can be hard for merchants to navigate through the issuer landscape and ascertain the state of readiness. How would you advise merchants to deal with this situation?

My advice is the same as for merchants whose acquirers aren't yet ready: don't wait for issuers to be ready before you forge ahead with EMV® 3DS implementation. 

Merchants should also find out what support their payment platform can provide while an issuer continues to prepare. Generally speaking, a merchant should be able to invoke EMV® 3DS for transactions even if an issuer isn't ready — although we recommend that they should only invoke the version the issuer is currently supporting. The risk otherwise is that merchants may see increased authorisation declines, as the issuer is unable to authenticate the customer, and would therefore be assuming all the risk. Merchants should be aware too that overall declines are being monitored at scheme level. 

Merchants who're struggling to navigate the issuer landscape can reach out to their payment platforms and acquirers to find out about an issuer's state of readiness and the options available.

With only a few months left to prepare, what would be the impact of not being ready on the day of enforcement?

The bottom line is that merchants who aren't ready with EMV® 3DS in time will find that issuers decline in-scope transactions that require authentication. 

Issuers have started testing their processes, so merchants may already experience 'soft declines'. A soft decline is coding by the issuer indicating they wanted to authenticate the transaction. We expect to see rising levels of testing and soft declines on the run-up to enforcement. Of course, this testing period provides merchants with a great learning opportunity, as it helps them become familiar with the types of transactions (such as high risk or high value) that will likely be subject to SCA. 

It's also worth noting that being properly prepared for SCA goes beyond EMV 3DS implementation. Merchants need to understand what readiness means for their individual business — which involves being able to answer questions such as: 

  • What volume of in-scope transactions do they typically handle? 
  • How much business do cross-border transactions represent? 
  • What exemption strategy should be pursued with acquirers?
  • Do they have merchant-initiated transactions (MITs)? These will be out of scope, so a merchant needs to flag them as such so that the issuer can recognise them.

There's also the customer experience to consider. Although SCA helps to protect consumers against fraud, the process itself may be unfamiliar or even off-putting, especially for people who've only started shopping online since the pandemic. So merchants should put effort into educating and reassuring their customers in advance. 

On top of that, we're heading into peak season, which many merchants will see as a chance to recoup revenues that may have been lost earlier in the year. In an attempt to avoid any risk to sales, merchants will likely implement a code freeze — as will payment platforms and other ecosystem constituents — making implementation of SCA-related changes challenging or even impossible during this critical retail quarter. 

Once PSD2 SCA is in force, ecommerce success will depend on the readiness of all constituents — issuers, acquirers, and merchants. Merchants who haven't yet implemented EMV® 3DS should take control of their upgrade path without delay, and work with their payment platform to make sure they're ready in good time.

About Mari-anne Bayliss

Mari-anne joined Cybersource in June 2017. At her role as  European lead – Regional Solutions, she focuses on driving forward solutions which will help merchants to provide great customer experiences, while keeping their businesses secure. Prior to joining Cybersource, she spent 18 years with a large UK retailer, and for over 10 years was leading the Fraud and Risk functions, responsible for both ecommerce fraud prevention and internal risk management. During this time, she experienced significant changes to the risk and payment landscapes, including the introduction of chip and pin and the emergence of immediate fulfilment channels. She brings a unique insight into today’s digital payment landscape. 

About Cybersource

Cybersource helped kick start the ecommerce revolution in 1994 and haven’t looked back since. Through global reach, modern capabilities, and commerce insights, we create flexible, creative commerce solutions for everyday life-experiences that delight customers and spur growth globally. All through the ease and simplicity of one digital platform to manage all payment types, fraud strategies, and more. Knowing we are part of Visa and their security-obsessed standards, you can trust that business is well taken care of — wherever it may go.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Mari-anne Bayliss, Cybersource, SCA, PSD2, merchants, issuers, acquirers, ecommerce payments, authentication, EBA, fraud, transactions , cross-border transactions
Categories: Fraud & Financial Crime
Countries: World
This article is part of category

Fraud & Financial Crime