SCA for PSD2 - How bad is it going to fail?

With just 4 months before the enforcement of PSD2 within many European countries, payments expert Ronald Praetsch depicts what is currently happening with SCA for PSD2 in the region

Not even the recent unfortunate events due to COVID-19 have moved the position of the European regulators, with only few national competent authorities moving the enforcement deadline to give more time to businesses to adapt with the needed changes (i.e. the Financial Conduct Authority which has decided to give additional time until September 2021).

Looking at the current market status, with lower 3DS2 adoption in some markets, and the most recent COVID-19 development in major European countries, the risk of ‘market failure’ in January 2021 seems rising day after day and the role of part of the payment chain are fundamental to ensure merchant readiness. We still see in some markets a significant number of issuers not being technically ready to accept 3DS2 transactions and the transactions authenticated with the new authentication protocol are currently very low. Furthermore, the level of complexity is getting higher with local regulators following different approaches with some proposing or considering soft decline programs (i.e. France and Netherlands considering September 2020, Belgium at the end of August, Germany still discussing it) and some others fully relying on the EBA timelines.

In such a scenario, the market readiness seems very fragmented. It is not a secret that issuers are more ready in some countries than in others and 3DS2 performances may also vary significantly. Some of the current best performing markets are Denmark and the United Kingdom while on the opposite we have seen Spanish issuers far from being massively ready. Those are markets where we strongly recommend to have volumes already sent to 3DS2 as acceptance ratios are in line or better than 3DS1.

The recent partnership between Netcetera and Mastercard in establishing a merchant testing production environment is an initiative to be welcomed in the market but this shows, on the other side, the efforts in trying to fill the gap which has been previously created due to not having a consolidated way for merchants to test. Considering that issuers had specific mandates from card schemes in the first part of 2020, this can highlight even more how difficult it has been for issuers to implement the new protocol which required efforts on the Access Control Servers used.  We have noticed as well how some specific technical integrations, such as native SDKs are requiring costly efforts with conversion rates which are very low.

As the majority of issuers live on 3DS2 supporting the 2.1 version for Visa and the 2.1+ for Mastercard ones, PSD2 SCA exemptions are still far from being taken really into consideration. In such a situation, it makes much more sense for merchants to ensure they support the correct transaction flagging depending on the performed use cases in order to avoid issuers stepping in with authentication challenges in scenarios where cardholders are not present. As well, the issuers behaviour should be analysed and carefully monitored as some issuers might already massively authenticate cardholders based on data (Risk-Based Authentication) without requesting any challenge and bearing the fraud liability shift. In such scenarios, having a merchant requesting an SCA exemption might not make much sense as the cardholder does not experience any friction during the payment.

Therefore, sharing the right data is fundamental in those cases, in order to ensure that issuers have visibility about the customer behaviour and can easily recognise the genuine patterns based on the risk analysis models. Some of the data points that can help achieve better risk assessment on the issuers side are ‘billing address’, ‘shipping address’ information, cardholder information such as ‘phone number’ or ‘account password changes’, counter data points such as ‘count of transactions’ within the last 24 hours or last year. Additional data such as ‘email address’, ‘cardholder name’ and ‘device fingerprint’ are already available with 3DS2 transactions as required data points.

At Payment Universe, thanks to several years of experience in the payments industry working with merchants, PSPs, Acquirers, and Card Schemes, our team of professional payment experts assist with the most challenging issues around payments. Currently our biggest focus is in assisting merchants and payment providers with the transition to 3DS2 in order to be fully ready and compliant with the current deadlines. We know from our experience that the changes can be significant, and the efforts should not be underestimated as complexity can be high for some businesses. We are offering a PSD2 SCA practitioner package, which offers an easy to understand framework to help to proceed with a smooth and successful implementation. Additionally, with SCA in a Box we offer a full end-to-end support for a 360 degrees PSD2 implementation.

About Ronald Praetsch

Over 10 years’ experience in the payment ecosystem working with Payment providers, Acquirers, Merchants and Fraud Solution Providers.

Ronald is working since several years as a consulting/interim manager and helping companies around the world to optimise payments.