What UK merchants can learn from a year of SCA in the EU

Although SCA is a significant regulatory change, the EU rollout proved to be a relatively painless experience. Visa is seeing 95% approval rates for European ecommerce transactions, which ‘suggests that Europe has successfully implemented SCA in a way that avoids major disruption’.

There's more good news from the EU, too: SCA appears to be fulfilling its purpose of helping to reduce ecommerce fraud. Visa notes that: ‘Across Europe levels of reported fraud had fallen by 20% in the first four months of 2021’.

So, what are some best practice approaches for UK merchants as they continue their preparations for the 14 March deadline?

Understand the ramp-up plan

When a cardholder's bank (the issuer) deems the transaction risk to be ‘high’, the cardholder will be required to prove their identity. This is commonly known as a ‘step up’. In June 2021, UK issuers started stepping up transactions for SCA. That approach is now ramping up at speed, with 50% of eligible transactions due to be stepped up by mid-February, ready for 100% at enforcement. As in the EU, this ramp-up plan provides the opportunity to handle and fix any issues while their impact remains low.

Upgrade to EMV 3-D Secure (3DS)

Initial EU authorisation rates have been consistent across all versions of 3DS. The UK has long been ahead of the game on 3DS performance, while EMV 3DS versions 2.1 and 2.2 are well embedded in the payments ecosystem. They also offer customers a better SCA experience than version 1.0, especially on mobile devices. 

As version 1.0 has a limited life, merchants who've not yet upgraded to EMV 3DS should consider doing so as part of their preparations for 14 March.

Out of scope for SCA: MITs and MOTO

Merchant initiated transactions (MITs) and mail order/telephone order (MOTO) transactions are out of scope for SCA. Initially, however, some EU merchants didn't always include the right data fields on these transactions to indicate their out-of-scope status, and some issuers incorrectly declined MITs and MOTO transactions for SCA. Cybersource was able to manage and resolve these transactions with issuers on behalf of its merchant customers.

We recommend that UK merchants take care to include the right data fields on MITs and MOTO transactions to prevent them from being stepped up for SCA. Issuers themselves will have learned from the EU experience, but merchants should monitor these transactions closely over the initial period in case of handling errors. 

Monitor risk and fraud exposure

Although early EU indications are that ecommerce fraud rates are reducing overall, we know that fraudsters don't give up: they're adept at evolving their techniques in line with regulatory and other changes.

We suggest that merchants keep a close eye on their risk and fraud exposure, and monitor channels and areas that fraud may migrate to. For example:

• SCA may mean that fraud migrates from online to MOTO channels, so consider bolstering training for your call centre agents;

• fraudsters may attempt to take over customer accounts, therefore it may be worth implementing a specialist tool to protect against account takeover;

• as one-leg-out transactions are exempt from SCA, fraudsters may increase their use of payment cards issued outside the EU, hence look at adding rules to your fraud screening solution to scrutinise these transactions more closely.

And as part of the COVID-19-driven acceleration of online shopping, the mobile channel has become increasingly popular for its friction-free experience. Merchants should monitor mobile traffic and consider setting mobile-specific fraud screening rules.

SCA exemption strategy

In-scope transactions below EUR 30 can be exempted from SCA, and merchants can request further exemptions from their acquirers. The ’transaction risk analysis’ exemption, in particular, is likely to be considered for acceptance if the merchant can show they're managing fraud effectively and can reliably recognise low-risk customers. 

Not all transactions are subject to SCA

We've touched on exempt and out-of-scope transactions above, but it bears repeating that not all ecommerce transactions will be stepped up for SCA. In fact, the largest ecommerce volume (according to Visa data) won't be subject to SCA as transactions are either out of scope or can benefit from an exemption applied by the acquirer — so the impact on merchants and their customers may be less significant than some expect.

In summary

Our view is that the relatively smooth rollout of SCA in the EU — and the speed with which issues have been resolved — bodes well for UK enforcement. Merchants should, however, ensure they understand the regulation and the ramp-up plan, and are ready to comply. As well as being able to monitor their risk and fraud exposure, they need to maintain their focus on providing genuine customers with a good experience, and be ready to develop an SCA exemption strategy if that's the right approach for their business.

To learn more about SCA preparation and best practices, check here. 

These materials and best practice recommendations are provided for informational purposes only and should not be relied upon for marketing, legal, regulatory or other advice. 

Recommended marketing materials should be independently evaluated in light of your specific business needs and any applicable laws and regulations. Cybersource is not responsible for your use of the marketing materials, best practice recommendations, or other information, including errors of any kind, contained in this document.

About Mari-anne Bayliss

Mari-anne joined Cybersource in June 2017. In her role as European lead – Regional Solutions, she focuses on driving forward solutions which help merchants to provide great customer experiences, while keeping their business secure. Prior to joining Cybersource, she spent 18 years with a large UK retailer, and for over 10 years was leading the Fraud and Risk functions, responsible for both ecommerce fraud prevention and internal risk management. During this time, she experienced significant changes to the risk and payment landscapes, including the introduction of chip and PIN and the emergence of immediate fulfilment channels. She brings a unique insight into today’s digital payment landscape. 

About Cybersource

Cybersource helped kick start the ecommerce revolution in 1994 and haven’t looked back since. Through global reach, modern capabilities, and commerce insights, we create flexible, creative commerce solutions for everyday life – experiences that delight customers and spur growth globally. All through the ease and simplicity of one digital platform to manage all payment types, fraud strategies, and more. Knowing we are part of Visa and their security obsessed standards, you can trust that business is well taken care of – wherever it may go.