Global and regional impacts of SCA and 3-D Secure 2.0 (3DS2)

In 2019, the European Banking Authority (EBA) announced a delay to the enforcement of Strong Customer Authentication (SCA) for online card transactions as required by the PSD2 regulation. Payment providers and banks are legally required under PSD2 to enforce SCA for card-not-present transactions or be subject to heavy fines. 3DS2 is the cross-scheme authentication standard that complies with the regulation. With the 31 December, 2020 deadline fast approaching, this article looks at the global and regional impacts of the authentication standard, specifically from a card issuer and card processor point of view. Additionally, the piece will offer some tips and best practices on how each of these organisations can prepare for 3DS2 authenticated and non-authenticated transactions.

It’s well known that 3-D Secure protocol got a much-needed face-lift; now we have 3DS2.

How 3DS2 improved upon 3DS1

The original 3-D Secure protocol, 3DS1, was developed and launched back in 2001, long before the smartphone era and digital capabilities as we know them now, and it shows! 3DS1 is now acknowledged across the industry as a cause of significant checkout abandonment; due to its friction-heavy process and lack of dynamic user experience. 3DS2, however, is specifically designed to help reduce customer checkout friction and reduce fraud by increasing the security and data sharing of transactions made across digital ecommerce channels.

Effects of varied global adoption rates

The benefits of 3DS2 are plentiful across customers, merchants, and issuers. Despite the widespread improvements that will come with the implementation of 3DS2, it will likely be adopted at different rates in different regions of the world.

Not all merchants established support for the original version in their transactional flow. Due to this spotty support of the original 3DS, the maturity and readiness across the industry to adopt 3DS2 has been wideranging. The challenge of ensuring that all merchants have the relevant support, infrastructure, and 3DS management in place has been the cause of a number of delays for the adoption dates. 

With the deadline for Strong Customer Authentication (SCA) approaching at the end of 2020 in Europe, the transition to 3DS2 as a unified approach to ecommerce authentication has taken a significant amount of time, effort, and discussion across all the payments ecosystems. The EU’s newly revised compliance dates require SCA to be enforced no later than 31 December 2020 for the European Economic Area (EEA) and 15 September 2021 for the UK. Whether these dates will change again or not remains to be seen, but the European payment processors, merchants, and card issuing banks are all experiencing a tension as they are hesitant to enforce 3DS2 rules to an ecosystem that is not fully ready to support them. 

Figure 1 -  Europe returns to winning ways in fight against fraud

Without a unified ecosystem, there is the possibility of disaster by way of declines rapidly increasing along with an untested and unaligned customer experience. In such a scenario, the market readiness would be very fragmented. It is known that issuers are more ready in some countries than in others. The FICO European Fraud Map outlines that the current best performing markets (based on early adoption of 3DS2 protocols, the level of confirmed readiness, current live testing, and central alignment through the scheme) in preventing card fraud are Denmark and the United Kingdom, while on the opposite end we see other EEA issuers are far from ready.

Successfully adapting to 3DS2

Despite the scattered initial adoption, global benefits of 3DS2 are certainly on the horizon. Around the world, payment providers are moving to more secure and adaptive authentication capabilities. This is a key business strategy for many companies. Taking the best practices of SCA and using those to their advantage is something that will benefit all organisations as digital adoption grows, especially in emerging markets. 

In an ecommerce world, those who utilise new authentication approaches and data to increase their risk decision making capabilities will turn the compliance challenge into business success. This will ultimately be a marked differentiation in the market. 

These market changes are happening whether merchants, issuers, and companies are ready or not. I address other questions, like ‘Who stands to benefit the most from 3DS2 and SCA?’ and ‘how can issuing banks and card processors prepare for 3DS2?’ on the FICO Community Fraud and Financial Crime blog.

About James Roche

James is currently Senior Consultant for Authentication and Identity at FICO, covering the EMEA region. He joined FICO in early 2020 after working in fraud and business transformation functions at a number of major global banks. James has substantial experience in both UK and European markets and has focused on delivering strategy and solutions for authentication, driven by regulatory initiatives including 3-D Secure 2, PSD2 and Strong Customer Authentication and Open Banking.

About FICO

FICO’s data-driven intelligence transforms how organizations make complex decisions and engage with their customers at every touchpoint—helping people make better decisions every day. For more information about FICO’s fraud protection and compliance solutions, please follow our blog or visit fico.com.