Voice of the Industry

Managing SCA declines, MITs, and exemption optimisation

Wednesday 31 March 2021 07:53 CET | Editor: Simona Negru | Voice of the industry

Since 1 January many European markets have enforced — or are enforcing — the Strong Customer Authentication (SCA) requirements of PSD2 for ecommerce. Mari-anne Bayliss, Senior Director at Cybersource, discusses learnings so far and the next focus areas for merchants.

So far, so good: most European issuers are ready for SCA, the use of EMV 3DS (the latest version of the 3-D Secure protocol) continues to rise, and authenticated approval rates are in line with expectations. However, there are some key areas that merchants should consider addressing.

SCA declines

SCA declines by issuers have increased since the start of 2021 (A decline code indicating the issuer would be willing to reconsider the transaction if resubmitted after authentication is done.). On receiving an SCA decline, a merchant is advised to retry the transaction for authentication within the same payment session and, if successful, to then retry the transaction for authorisation. Unfortunately, the resubmission rate is lower than ideal, likely because:

  • merchants aren't attempting to retry for authentication;

  • customers whose transactions are declined are abandoning their baskets. 

Either way, it's bad news for merchants (who may lose the sale) and for shoppers (who may have a poor experience). 

To improve SCA decline handling, merchants should use the latest version of EMV 3DS (currently 2.2). Additionally, they should agree with their payment gateways and acquirers how to manage SCA declines and resubmissions. Merchants using Cybersource Decision Manager with Payer Authentication for 3DS can look forward to automated resubmissions with retry later this year.

Merchant Initiated Transactions (MITs)

Recurring transactions aren't always correctly flagged when they qualify as MITs. When setting up a subscription or series of transactions, which may qualify as MITs, always apply SCA to the first transaction where the customer is available to initiate or authenticate the payment. Merchants then need to ensure that all subsequent MIT transactions are flagged to avoid the issuer declining for SCA. 

MITs may also arise when the final value of a transaction is higher than the amount presented during authentication – for example, hotel room bookings (where extra costs like breakfast increase the total); or video services with paid ‘add-ons’ (e.g. PPV movies) added to the monthly bill. 

To comply with the 'dynamic linking' aspect of these transactions and to help make checkout more frictionless, merchants should adopt a mitigation strategy. One option could be using MIT incremental authorisations for additional unauthenticated amounts, rather than adjusting the monthly payment. Scheme guidelines vary, so check with your payment gateway or acquirer to understand the best approach.

Where should merchants focus next?

We suggest the following focus areas:

EMV 3DS – Merchants who haven't yet upgraded to the latest version of EMV 3DS should do so. An EMV 3DS solution like Cybersource Payer Authentication ensures merchants are using the latest version of the protocol. 

Customers get a better authentication experience, and merchants get additional capabilities like exemption flagging.

Exemption strategy – Beyond in-scope remote electronic payment transactions below EUR 30 being exempt from SCA, merchants may want to develop an SCA exemption strategy in consultation with their payment gateways and acquirers. 

Both the acquirer and issuer can apply the transaction risk analysis (TRA) exemption, and merchants can request exemptions with pre-agreement from their acquirers. Our recommended starting point is the TRA exemption. Although acquirers can support exemptions for transactions up to EUR 500 in some cases, merchants will be closer to customers and may know when a transaction may qualify for an exemption (or not). 

Merchants with Cybersource Decision Manager and Payer Authentication can use business rules to identify transactions that may qualify for the TRA exemption (as well as out-of-scope transactions and other exemptions, such as low value transactions) and request their exemption. Acquirers will know if these merchants are managing their fraud rates appropriately, while customers will be able to enjoy a more seamless checkout experience. 

Out-of-scope transactions – Some transactions, such those in the MOTO channel, are always out of scope for SCA. Merchants should flag them correctly so that issuers don't decline for SCA.

SCA should be applied to one-leg-out (OLO) transactions on a best efforts basis. Decision Manager with Payer Authentication can help you understand the riskiness of an OLO transaction, and request authentication if required. 

SCA exemption optimisation with Cybersource 

Merchants have traditionally used Cybersource Decision Manager to screen for fraud post-authorisation. Now they are starting to use Decision Manager with Payer Authentication to screen transactions pre-authorisation. Using built-in exemption rules, merchants can analyse a transaction's risk level and decide whether to request an SCA exemption (based on their own risk model and strategies agreed with their acquirers). 

For example, a merchant may wish to request an SCA exemption on any transaction under EUR 100, provided it meets certain merchant-specified criteria. In these cases, the Cybersource solution will pause the authentication call and request an exemption from the issuer. If the issuer declines for SCA, in the future the Cybersource solution will automatically retry with authentication. This will help to deliver a seamless experience for customers and protect merchants from potential loss of sales. 

To learn more about optimising SCA exemptions with Cybersource solutions, contact us or register for our webinar: The PSD2 Era: How to improve SCA declines and optimise exemption strategies on Tuesday 27 April 2021.

These materials and best practice recommendations are provided for informational purposes only and should not be relied upon for marketing, legal, regulatory or other advice. 

Recommended marketing materials should be independently evaluated in light of your specific business needs and any applicable laws and regulations. Cybersource is not responsible for your use of the marketing materials, best practice recommendations, or other information, including errors of any kind, contained in this document.

About Mari-anne Bayliss

Mari-anne joined Cybersource in June 2017. At her role as European lead – Regional Solutions, she focuses on driving forward solutions which will help merchants to provide great customer experiences, while keeping their businesses secure. Prior to joining Cybersource she spent 18 years with a large UK retailer, and for over 10 years was leading the Fraud and Risk functions, responsible for both ecommerce fraud prevention and internal risk management. During this time, she experienced significant changes to the risk and payment landscapes, including the introduction of chip and pin and the emergence of immediate fulfilment channels. She brings a unique insight into today’s digital payment landscape. 

About Cybersource

Cybersource helped kick start the ecommerce revolution in 1994 and haven’t looked back since. Through global reach, modern capabilities, and commerce insights, we create flexible, creative commerce solutions for everyday life – experiences that delight customers and spur growth globally. All through the ease and simplicity of one digital platform to manage all payment types, fraud strategies, and more. Knowing we are part of Visa and their security obsessed standards, you can trust that business is well taken care of – wherever it may go.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Cybersource, SCA, PSD2, 3-D Secure, merchants
Categories: Securing Transactions | Digital Identity, Security & Online Fraud
Countries: World
This article is part of category

Securing Transactions






Industry Events