How and when to retry SCA-related soft-declined transactions 

Strong customer authentication rules are now effective across Europe. We explain how to optimize the payment flow to deliver a seamless but secure customer experience.

The rollout of Strong Customer Authentication (SCA) across the European Economic Area (EEA) and the UK is gathering pace. And, as that rollout continues, merchants will likely encounter more soft declines for transactions presented without SCA.

This article explains how SCA compliant and non-compliant transactions are defined and how merchants using Checkout.com retry SCA-related soft declines.

Which transactions require strong customer authentication?

All electronic transactions require SCA unless the transaction is out of scope or there’s an exemption applied.

As a reminder, the main out-of-scope scenarios for remote transactions include:

The main exemptions for remote transactions include:

To reiterate: SCA is not required for transactions that are out of scope or exempt. But these transactions must be correctly flagged in the authorization message to reduce the chance of issuers soft declining them.

Also, keep in mind that issuers have the final say about whether to apply SCA. There are things that only they can know or do. For example, understanding the customer’s typical spending patterns or which merchants are listed as trusted beneficiaries. 

If issuers are suspicious about a transaction, they can always request a step-up or challenge authentication via 3DS, even if it’s been flagged as out of scope or exempt from SCA.

Initiating SCA retries using Checkout.com

While merchants should do what they can to prevent customers from encountering soft declines, they will happen, especially during the ramp-up period. At Checkout.com, we've made it easy for merchants to retry soft-declined transactions by following these steps: 

  1. If a transaction requires SCA because the authorization wasn’t preceded by authentication, the issuer should respond with a soft decline response code 20154.
  2. Merchants should then retry with EMV 3DS (3DS2) and ideally use a challenge indicator SCA mandated (04) or 3DS1 if EMV 3DS isn’t supported by either the merchant or the issuer.
  3. If the authentication is successful, merchants may proceed with another authorization with 3DS data and the issuer should accept a fully authenticated authorization.

Note: Issuers should not apply soft decline for other reasons than when SCA is required.

Understanding system integrity rules 

When planning their resubmission strategies, merchants must consider the system integrity rules applied by the schemes that came into force in April 2021. These rules group pre-existing decline response codes into categories and require issuers to use descriptive values when they cannot approve a transaction.

Merchants can break the system integrity rules by incorrectly submitting retries or making an excessive number of retries and these can lead to fines issued to merchants by the schemes.  

Here's an overview of the rules set by the schemes.

Issuer will never approve – retry not allowed

'Issuer will never approve' category decline codes indicate that there are no circumstances in which the issuer will approve the transaction. Examples include the card being compromised or never in fact issued. 

This category also includes decline codes that indicate the account is valid but that the transaction is not permitted due to permanent regulatory restrictions that prevent approval.

Merchants should never resubmit a transaction when they receive a response code from this category.

Issuer cannot approve at this time – retry allowed

'Issuer cannot approve' at this time category decline codes indicate that the issuer may approve but cannot do so at this time. Examples include a temporary system outage, lack of funds or that SCA is required. These occur when the issuer is prepared to approve a transaction but cannot do so at the time or based on the transaction details. In some cases, cardholder action is required to remove the restriction before approval can be obtained.

The issuer would welcome a further authorization attempt in the future but limited to 15 resubmissions in 30 days.

Data quality, issuer cannot approve with these transaction details – retry allowed with valid data

Merchants can submit a retry when they receive decline codes from issuers that indicate there are data quality issues and that either invalid payment or authentication data has been provided. The issuer may approve the transaction if the merchant then provides valid data.

Merchants can be charged twice the system integrity fees in the case of data quality category decline response code resubmissions if the following applies:

  • Merchants make over 15 retries using the same CAID, PAN and purchase amount over a 30-day period. 
  • Over 25,000 declines with the same CAID and Acquirer BIN are made.

Best practices for automatic retries

As merchants consider these rules and work with their PSPs to build their SCA resubmission strategies, some best practices to follow are: 

  • Ensure that any automated authorization retries exclude 'Issuer will never approve' category response codes.
  • Not retry 'Issuer cannot approve at this time and/or with this data category' more than 15 times over a 30-day period.
  • Apply SCA and use account verification transactions when adding credentials on file.
  • Evaluate the use of automated customer messaging, alerts or emails when receiving successive declines or the retries threshold is reached for transactions with credentials on file.
  • Utilize velocity of spend controls to reduce the risk of account testing and apply captcha-like solutions to mitigate bots that retry transactions continuously.

What are the early lessons from the SCA rollout across the EEA?

Overall, the early signs are that the SCA rules are helping to reduce fraud. Card schemes have reported a reduction in fraudulent activity during early 2021. And it’s encouraging to see this happening with minimum impact on merchant payment performance.

Soft declines are increasing as expected, as are soft decline resubmissions. The sooner merchants adopt 3DS2, the sooner they can learn where soft declines are occurring. And the sooner they can hone robust SCA exception strategies to optimize payment performance and deliver a seamless but secure customer experience.

Contact our team today to see how we can support your business.

Keep up-to-date with all things payments

We process your personal data in accordance with Checkout.com's privacy policy. By subscribing, you consent to us sharing updates with you.

Keep up-to-date with all things payments

The Checkout.com team

Written on Apr 11, 2021 by

Milena Shishkova

Senior Product Lead, Checkout.com

Keep up-to-date with all things payments

We process your personal data in accordance with Checkout.com's privacy policy. By subscribing, you consent to us sharing updates with you.

Keep up-to-date with all things payments

The Checkout.com team

Related articles

Ask me anything: Strong Customer Authentication

Our Senior Product Lead for the Core Payments Group, Milena Shishkova, recently held an ask me anything session focusing on the ramp-up of SCA across Europe. Here's a recap of the event and the on-demand recording.

payments

3 min read

Exemptions to SCA 

Here we look at which payments are out of the scope of Strong Customer Authentication and which ones will need exemptions.

payments

6 min read

When should merchants prepare for soft declines with SCA?

Soft declines will rise with Strong Customer Authentication. But exactly when will be different for each country.