Strong Customer Authentication (SCA) has been rolled out across the European Economic Area (EEA) and the UK. And, as such, merchants will likely encounter more soft declines for transactions presented without SCA.
This article explains how SCA compliant and non-compliant transactions are defined and how merchants using Checkout.com retry SCA-related soft declines.
All electronic transactions require SCA unless the transaction is out of scope or there’s an exemption applied.
As a reminder, the main out-of-scope scenarios for remote transactions include:
The main exemptions for remote transactions include:
To reiterate: SCA is not required for transactions that are out of scope or exempt. But these transactions must be correctly flagged in the authorization message to reduce the chance of issuers soft declining them.
Also, keep in mind that issuers have the final say about whether to apply SCA. There are things that only they can know or do. For example, understanding the customer’s typical spending patterns or which merchants are listed as trusted beneficiaries.
If issuers are suspicious about a transaction, they can always request a step-up or challenge authentication via 3DS, even if it’s been flagged as out of scope or exempt from SCA.
While merchants should do what they can to prevent customers from encountering soft declines, they will happen, especially during the ramp-up period. At Checkout.com, we've made it easy for merchants to retry soft-declined transactions by following these steps:
Note: Issuers should not apply soft decline for other reasons than when SCA is required.
When planning their resubmission strategies, merchants must consider the system integrity rules applied by the schemes that came into force in April 2021. These rules group pre-existing decline response codes into categories and require issuers to use descriptive values when they cannot approve a transaction.
Merchants can break the system integrity rules by incorrectly submitting retries or making an excessive number of retries and these can lead to fines issued to merchants by the schemes.
Here's an overview of the rules set by the schemes.
'Issuer will never approve' category decline codes indicate that there are no circumstances in which the issuer will approve the transaction. Examples include the card being compromised or never in fact issued.
This category also includes decline codes that indicate the account is valid but that the transaction is not permitted due to permanent regulatory restrictions that prevent approval.
Merchants should never resubmit a transaction when they receive a response code from this category.
'Issuer cannot approve' at this time category decline codes indicate that the issuer may approve but cannot do so at this time. Examples include a temporary system outage, lack of funds or that SCA is required. These occur when the issuer is prepared to approve a transaction but cannot do so at the time or based on the transaction details. In some cases, cardholder action is required to remove the restriction before approval can be obtained.
The issuer would welcome a further authorization attempt in the future but limited to 15 resubmissions in 30 days.
Merchants can submit a retry when they receive decline codes from issuers that indicate there are data quality issues and that either invalid payment or authentication data has been provided. The issuer may approve the transaction if the merchant then provides valid data.
Merchants can be charged twice the system integrity fees in the case of data quality category decline response code resubmissions if the following applies:
As merchants consider these rules and work with their PSPs to build their SCA resubmission strategies, some best practices to follow are:
Overall, the early signs are that the SCA rules are helping to reduce fraud. Card schemes have reported a reduction in fraudulent activity during early 2021. And it’s encouraging to see this happening with minimum impact on merchant payment performance.
Soft declines are increasing as expected, as are soft decline resubmissions. The sooner merchants adopt 3DS2, the sooner they can learn where soft declines are occurring. And the sooner they can hone robust SCA exception strategies to optimize payment performance and deliver a seamless but secure customer experience.