How to make the new SCA regulations work for your business

5 min read

With new rules for strong customer authentication coming into effect from 31 December 2020 in most European countries, we look at how to turn a regulatory requirement into an online conversion optimizer.

Regulation is the archetypal external risk. Which makes it more difficult to influence, and thus to control. The revised Payment Services Directive, or PSD2, is a case in point. 

The rules around strong customer authentication (SCA) for electronic payments are coming into force at the end of this year for payments processed in the European Economic Area (EEA) — except for the UK which will enforce from Sept 14, 2021.

However, in countries where the local regulator has introduced milestones towards full compliance, you may start to see soft declines from issuers. The likelihood and degree to which your organization is affected will depend on how well you have prepared. In short, on how SCA-savvy your organization is. 

Here are four tips to help you assess the SCA regulations and turn them from a potential conversion killer into a conversion optimizer for your business.


1. Know the scope of SCA
2. Understand exemptions
3. Develop an exemption strategy
4. Leverage your investment in fraud detection

1. Know the scope of SCA

Identifying your out of scope transactions is paramount. We’ve written extensively about SCA requirements under the PSD2. In a nutshell, a number of remote transaction types do not require SCA. 

According to estimates from card scheme Visa in a recent webinar, around 45% of all card-not-present transactions are out of scope for SCA. This means that your customer’s card issuer will not request a step-up or second authentication factor – something only the customer knows, has or is – when they check out online.

The four main out-of-scope transaction types are: 

  • Mail order/telephone order transactions
  • One leg out transactions—where the regulated entities (either the cardholder’s issuer, the acquirer or both) are outside the EEA. SCA should be applied on a best-effort basis, but issuers must not decline one leg out authorization requests if they are out of scope.
  • Transactions processed with anonymous prepaid cards 
  • Merchant-initiated transactions or MITs—a large group comprising instalment payments, recurring transactions, delayed charges, no-show transactions, reauthorizations among others. Importantly, SCA is required for the initial transaction when the customer agrees to the terms for subsequent MITs. 

Other out of scope transactions include those crediting customers, rather than debiting their cards or accounts. These include original credit transfers (e.g. insurance pay-outs or payment of winnings in the gambling sector), refunds and account verification transactions, also known as zero-value transactions which check the status of an account.

Issuers in certain countries will start to ‘soft decline’, which is to ask for authentication on incorrectly flagged out of scope authorization requests between now and the end of the year. Time is of the essence. 

2. Understand exemptions

Not every transaction requires SCA, as it’s recommended that each transaction that falls under PSD2 is processed with 3DS2 as an exemption. 

Merchants are advised to work with their acquirers on using the exemptions that fit their circumstances. Keep in mind that issuers always have the final say on applying exemptions (and not asking for SCA). There are things that only they can know or do. For example, knowing whether a customer has reached the five-transaction or €100 cumulative limit for a low-value exemption, or maintaining a list of trusted beneficiaries for their customers.

The main exemptions for those selling online are:

  • Transaction Risk Analysis (TRA)—this depends on the transaction value and fraud rate of the acquirer.
  • Low value transactions—remote payments less than €30 up to a maximum of five transactions or a cumulative limit of €100.
  • Trusted beneficiaries—when customers add merchants to a list of trusted beneficiaries held by their issuer. This is useful if customers often shop with particular merchants. SCA is required for the initial transaction to enable the exemption for subsequent ones.
  • Secure corporate payments—those initiated through secure corporate systems and processes, such as centralized travel management systems, lodge and virtual cards.

3. Develop an exemption strategy

Develop an exemption strategy tailored to your business and customers. This defines the route a transaction takes to maximize chances of a frictionless flow and approval by the issuer.

For example, if a transaction is low risk and within your own risk appetite, you may want to signal to the issuer that you have performed Transaction Risk Analysis (TRA)  and only share data via 3DS2 frictionless flow. This will ensure overall higher issuer trust and approval rate. 

However, considering what you sell, to whom, how and where, you may decide that you always want to benefit from the 3DS liability shift. And leave exemptions entirely up to the issuer.

You know what is typical and atypical behavior for your business. You’ve baselined normal so unusual transactions by value, time of day, device and so on stand out. Finally, you know your own risk appetite – the amount and type of risk your organization is willing to seek, accept and hold in pursuit of your business objectives. 

Consider all these factors when devising your exemption strategy. Because making SCA a conversion optimizer is really about optimizing the customer experience to drive conversion and boost revenue. 

There’s a balance to be struck between minimizing fraud losses and operational costs, optimizing the customer experience and maximizing revenue. No one says this is easy. But the good news is there is no one right way to balance these factors or devise an exemption strategy. Each organization can tailor and tweak their approach depending on their own circumstances for competitive advantage.

4. Leverage your investment in fraud detection

Minimizing fraud maximizes your chances to use exemptions. In short, this involves determining a fraud strategy that reflects your business model. 

You’ve probably invested heavily in fraud detection and risk management tools over the years. The 3DS2 protocol gives you the scope to leverage that investment. 

You know your business and customers best. You know what genuine customer behavior on your site looks like so fraudulent behavior stands out. And now you can share that knowledge with card issuers. 

You can pass more than ten times the data with a 3DS2 authentication request than with a 3DS request. This includes device and transaction type, amount, shipping address and much more. There are more than 100 data elements, which we can pass with the transaction message, that issuers would not otherwise see. We help you get access to additional authentication data when you make a request. 

With enhanced data, issuers can better assess their risk, which in turn boosts the chance of friction-free authentication. With a risk-based approach, only the higher risk purchases are pulled out for extra authentication. The overwhelming majority of sales can proceed without SCA, as they are not high risk.  

It’s in the interest of everyone: you, the issuer and your mutual customer to minimize fraud, and that SCA is used only when required. The updated 3DS protocol helps create a virtuous circle in this regard.

Merchants’ good front-end fraud prevention strategy already collects data, which can be passed to issuers. This helps build better risk algorithms to minimize both fraud and false positives. Which leads to a better customer experience and potentially better conversion, bigger basket sizes and more repeat custom.

Issuers will soon start ‘soft declining’ transactions as they prepare for the SCA payment regulations deadline, so it’s worth acting now.

Read our docs for more information on 3DS2 and SCA. Existing customers can contact your Customer Success Manager. 

Keep up-to-date with all things payments

We process your personal data in accordance with Checkout.com's privacy policy. By subscribing, you consent to us sharing updates with you.

Keep up-to-date with all things payments

The Checkout.com team

Written on Jul 21, 2020 by

Milena Shishkova

Senior Product Lead

Keep up-to-date with all things payments

We process your personal data in accordance with Checkout.com's privacy policy. By subscribing, you consent to us sharing updates with you.

Keep up-to-date with all things payments

The Checkout.com team