Skip to main content

How to make the new SCA regulations work for your business

How to make the new SCA regulations work for your business

Regulation is the archetypal external risk. Which makes it more difficult to influence, and thus to control. The revised Payment Services Directive, or PSD2, is a case in point. 

The rules around strong customer authentication (SCA) for electronic payments are coming into force at the end of this year for payments processed in the European Economic Area (EEA) — except for the UK which will enforce from Sept 14, 2021.

However, in countries where the local regulator has introduced deadlines for full compliance, you may start to see soft declines from issuers. The likelihood and degree to which your organization is affected will depend on how well you have prepared.

Here are four tips to help you assess the SCA regulations and turn them from a potential conversion killer into a conversion optimizer without disruption for your business.

1. Know the scope of Strong Customer Authentication regulations
2. Understand exemptions
3. Develop an exemption strategy
4. Leverage your investment in fraud detection

1. Know the scope of Strong Customer Authentication regulations

Identifying your out of scope transactions is paramount. We’ve written extensively about the requirements under the PSD2. In a nutshell, a number of remote transaction types do not require SCA implementation. 

According to estimates from card scheme Visa in a recent webinar, around 45% of all card-not-present transactions are out of scope. This means that your customer’s card issuer will not request a step-up or second authentication factor – something only the customer knows, has or is – when they check out online.

The four main out-of-scope transaction types are: 

  • Mail order/telephone order transactions
  • One leg out transactions—where the regulated entities (either the cardholder’s issuer, the acquirer or both) are outside the EEA. Authentication should be applied on a best-effort basis, but issuers must not decline one leg out authorization requests if they are out of scope.
  • Transactions processed with anonymous prepaid cards 
  • Merchant-initiated transactions or MITs—a large group comprising instalment payments, recurring transactions, delayed charges, no-show transactions, reauthorizations among others. Importantly, it's required for the initial transaction when the customer agrees to the terms for subsequent MITs. 

Other out of scope transactions include those crediting customers, rather than debiting their cards or accounts. These include original credit transfers (e.g. insurance pay-outs or payment of winnings in the gambling sector), refunds and account verification transactions, also known as zero-value transactions which check the status of an account.

Issuers in certain countries will start to ‘soft decline’, which is to ask for authentication — like passwords, fingerprints and other biometrics — on incorrectly flagged out of scope authorization requests between now and the end of the year. Time is of the essence. 

2. Understand exemptions

Not every transaction requires strong customer authentication, as it’s recommended that each transaction that falls under PSD2 is processed with 3DS2 as an exemption.

Businesses accepting online payments are advised to work with their acquirers on using the exemptions that fit their circumstances. Keep in mind that issuers always have the final say on applying exemptions. There are things that only they can know or do. For example, knowing whether a customer has reached the five-transaction or €100 cumulative limit for a low-value exemption, or maintaining a list of trusted beneficiaries for their customers.

The main exemptions for those selling online are:

  • Transaction Risk Analysis (TRA)—this depends on the transaction value and fraud rate of the acquirer.
  • Low value transactions—remote payments less than €30 up to a maximum of five transactions or a cumulative limit of €100.
  • Trusted beneficiaries—when customers add merchants to a list of trusted beneficiaries held by their issuer. This is useful if customers often shop with particular merchants. Implementation is required for the initial transaction to enable the exemption for subsequent ones.
  • Secure corporate payments—those initiated through secure corporate systems and processes, such as centralized travel management systems, lodge and virtual cards.

3. Develop an exemption strategy

Develop an exemption strategy tailored to your business and customers. This defines the route a transaction takes to maximize chances of a frictionless flow and approval by the issuer.

For example, if a transaction is low risk and within your own risk appetite, you may want to signal to the issuer that you have performed Transaction Risk Analysis (TRA)  and only share data via 3DS2 frictionless flow. This will ensure overall higher issuer trust and approval rate. 

However, considering what you sell, to whom, how and where, you may decide that you always want to benefit from the 3DS liability shift. And leave exemptions entirely up to the issuer.

You know what is typical and atypical behavior for your business. You’ve baselined normal so unusual transactions by value, time of day, device and so on stand out. Finally, you know your own risk appetite – the amount and type of risk your organization is willing to seek, accept and hold in pursuit of your business objectives. 

Consider all these factors when devising your exemption strategy. Because making SCA compliance a conversion optimizer is really about optimizing the customer experience to drive conversion and boost revenue. 

There’s a balance to be struck between minimizing fraud losses and operational costs, optimizing the customer experience and maximizing revenue. No one says this is easy. But the good news is there is no one right way to balance these factors or devise an exemption strategy. Each organization can tailor and tweak their approach depending on their own circumstances for competitive advantage.

SCA Regulations

4. Leverage your investment in fraud detection

Reduce fraud maximize your chances to use exemptions. In short, this involves determining a fraud strategy that reflects your business model. 

You’ve probably invested heavily in fraud detection and risk management tools over the years. The 3DS2 protocol gives you the scope to leverage that investment. 

You know your business and customers best. You know what genuine customer behavior on your site looks like so fraudulent behavior stands out. And now you can share that knowledge with card issuers. 

You can pass more than ten times the data with a 3DS2 authentication request than with a 3DS request. This includes device and transaction type, amount, shipping address and much more. There are more than 100 data elements, which we can pass with the transaction message, that issuers would not otherwise see. We help you get access to additional authentication data when you make a request. 

With enhanced data, issuers can better assess their risk, which in turn boosts the chance of friction-free authentication. With a risk-based approach, only the higher risk purchases are pulled out for extra authentication. The overwhelming majority of sales can proceed without authentication, as they are not high risk.  

It’s in the interest of everyone: you, the issuer and your mutual customer to minimize fraud, and that authentication is used only when required. The updated 3DS protocol helps create a virtuous circle in this regard.

Ecommerce businesses' good front-end fraud prevention strategy already collects data, which can be passed to issuers. This helps build better risk algorithms to minimize both fraud and false positives when customers make payments. Which leads to a better customer experience and potentially better conversion, bigger basket sizes and more repeat custom.

Issuers will soon start ‘soft declining’ transactions as they prepare for the payment regulations deadline, so it’s worth acting now.

Read our docs for more information on how your payment service provider can help you. Existing customers can contact your Customer Success Manager and prepare for the deadline.