When should merchants prepare for soft declines with SCA?
There are many reasons why a payment fails. One is the failure of the payer to authenticate their identity. This falls into the category known as ‘soft declines.’
Soft declines are considered temporary. In other words, the merchant can attempt the transaction again by submitting it through additional authentication protocols — like 3DS2 for card payments, which we discuss in this article — to obtain a positive authorization and process the payment successfully. A hard decline may still occur though for numerous reasons, such as stop payment orders or due to the card being reported lost or stolen.
Find out more about Checkout.com's authentication solution.
Soft declines v hard declines
- Hard declines happen when the customer’s card-issuing bank rejects the payment. Examples include attempting to use a card that has been reported as stolen or lost, or the card has expired. Hard declines are permanent, so the payment should not be retried.
- Soft declines are temporary authorization failures. Around 80% to 90% of all declines fall into this category. They occur for a host of reasons including the need to authenticate the cardholder further because the purchase is unusual or there are issues with the technical infrastructures processing the payment. Soft declines are temporary, meaning merchants can process the transaction again meeting the requirements that led to the decline the first time around.
Learn more about the response codes you might see for hard and soft declines.
SCA and soft declines
Soft declines can be bad news for merchants. As we learned in our ‘Black Boxes and Paradoxes’ research report, the cost of false declines — a large number of which are soft declines — cost merchants in the UK, US, France and Germany as much as $20.3 billion a year. Of that, $7.6 billion was entirely written off. And all this after the merchant has sunk the marketing costs of nurturing the shopper to the point of purchase.
What’s worse many consumers who encounter false declines never return to that retailer again. And of that $20.3 billion merchants lost to false declines, $12.7 billion gets picked up by competitors.
With the arrival of Strong Customer Authentication (SCA) in the European Economic Area (EEA), there have been more stringent checks on a payer’s identity. As a result, there is a real risk consumers will encounter more soft declines when shopping online, especially for those transactions that require additional information from the payer. Merchants can limit the impact of soft declines on their business, however, by building the right fraud strategy for their unique business needs.
While some in the industry are fearful that 3DS2 will drive more consumer friction, we believe otherwise. 3DS2 is designed to the pain points created by the existing 3DS protocol and enable what we call a ‘frictionless flow’.
And merchants will be able to learn where soft declines are occurring, build robust SCA exception rules and optimize their payment flow to deliver a seamless but secure customer experience.
Check out our article on how to make SCA regulations work for your business to learn more.
Preparing for SCA, country by country
Time is running out for merchants, however. SCA is an EU regulation overseen by the European Banking Authority (EBA). But compliance with SCA is the responsibility of individual national regulators across the 30 countries it applies to (the 27 EU member states including the UK, plus the three members of the European Free Trade Association (EFTA) — Iceland, Liechtenstein and Norway.)
The EBA has given regulators until 31 December 2020 to implement SCA. (In the UK, the FCA has extended this to 14 March 2022.) But this is a deadline, not a start date. There is no uniform program for how implementation should proceed. Different countries are following slightly different timetables. Indeed, some regulators have been ramping up the application of SCA rules since the original deadline of September 2019.
So it’s important for merchants to understand the schedule for SCA adoption — and the likelihood of authentication-related soft declines — in each country they have customers.
SCA deadlines by country
Correct as of May 2021
Country | Regulator | SCA Deadline | Additional Information |
---|---|---|---|
Austria | FCA |
31 December 2020 |
- From 15 January, 2021, soft declines applied on transactions above €250 - From 1 February, 2021, soft declines apply on transactions above €150 - From 15 March, 2021, issuers will apply soft declines for all non-compliant transactions. |
Belgium | National Bank of Belgium |
31 December 2020 |
Soft declines for non-compliant transactions above €1,500 have been in place since 19 January 2021. This will be gradually lowered to all transactions by 18 March 2021. - From 23 February, 2021, soft declines apply on transactions above €500 - From 23 March, 2021, soft declines apply on transactions above €250 - From 19 April, 2021, soft declines apply on transactions above €100 - And from 18 May, 2021, on all transactions For more information |
Cyprus | Central Bank of Cyprus |
31 December 2020* |
For more information |
Denmark | FinantilSysNet |
11 January 2021 |
FinantilSysNet will publish a detailed plan including operational milestones For more information |
Finland | FIN-FSA |
31 December 2020 |
Some soft declines are already being actioned For more information |
France | Bank of
France |
31 December 2020 |
Prior to 31 March 2021, soft declines will be applied in a phased approach, as follows: - September to December 2020: soft declines applied to non-3D Secure transactions of more than €2000 - From 5 January, 2021: applied to non-secure transactions of €1000 and above - From from mid-February, 2021: applied to non-secure transactions of €500 and above - From 15 March: applied to non-secure transactions of €250 and above - From 15 April: applied to non-secure transactions of €100 and above - From 15 May: applied to all non-secure transactions |
Germany | BaFin |
31 December 2020 |
- From 15 January, 2021: Soft decline of transactions more than €250 - From 15 February, 2021: Soft decline of transactions more than €150 - From 15 March, 2021: Soft decline of all transactions |
Greece | Bank of Greece |
31 December 2020 |
For more information |
Hungary | MNB |
31 December, 2020 |
For more information |
Ireland | Central Bank of Ireland |
Full implementation on or before 1 July, 2021 |
- 1 March, 2021 to 31 March, 2021: Apply soft declines to all direct to authorisation transactions above €750 - 1 April, 2021 to 30 April, 2021: Apply soft declines to all direct to authorisation transactions above €500 - 1st May, 2021 to 31 May, 2021: Apply soft declines to all direct to authorisation transactions above €250 - 1st June, 2021 – 30 June, 2021: Apply soft declines to all direct to authorisation transactions above €150 - Full implementation on or before 1 July, 2021 For more information |
Italy | Banca D’Italia |
31 December 2020* |
The Bank of Italy 3-month ramp-up plan is based on the following milestones: - 1 January, 2021: SCA to be enforced for transactions above €1,000 - 1 February, 2021: SCA to be enforced for transactions above €500 - 1 March, 2021: SCA to be enforced for transactions above €100 - 1 April, 2021: SCA to be enforced for all transactions |
Lithuania | Lietuvos Bankas |
31 December 2020* |
- 1 January, 2021: SCA to be enforced for transactions above €500 - 1 February, 2021: SCA to be enforced for transactions above €250 - 1 March, 2021: SCA to be enforced for transactions above €100 - 1 April, 2021: SCA to be enforced for all transactions |
Luxembourg | CSSF (Surveillance Commission of the Finance Sector) |
31 December 2020* |
For more information |
Malta | Central Bank of Malta |
31 December 2020 |
For more information |
The Netherlands | DNB |
31 December 2020 |
For more information |
Norway | Finanstilsynet |
31 December 2020 |
Parties must actively request this deadline with Finanstilsynet For more information |
Poland | KNF |
31 December 2020* |
For more information |
Portugal | Banco De Portugal |
31 December 2020 |
For more information |
Slovenia | Banka Slovenije |
31 December 2020 |
For more information |
Spain | Banco de España |
31 December 2020 |
A phased roll out of soft declines will precede the deadline 15 January, 2021: SCA to be enforced for transactions above €250 1 February, 2021: SCA to be enforced for transactions above €30 1 March, 2021: SCA to be enforced for all transactions |
Sweden | Finansinspektionen |
14 September 2019 |
Unlike most other countries, Sweden has enforced the original SCA deadline, and extensions are only being granted on a request-by-request basis For more information |
United Kingdom | FCA |
14 March 2022 |
*Pending the submission of a detailed migration plan to the regulator.
** The following countries have not stated whether they will apply SCA prior to December 31 2020; and if so when and how: Bulgaria, Croatia, Czech Republic, Estonia, Latvia, Liechtenstein, Romania, Slovakia
All information correct as of February 2021
Take control of your own compliance with 3DS2
Rather than keeping up with each national regulator, merchants should lead the way. Those that set their own timetable for SCA will win on two fronts. Firstly, presuming that the timetable is ambitious in both speed and coverage, merchants do not need to worry about how SCA and soft declines are being employed country by country.
Secondly, by offering their customers a more secure and consistent payment experience, merchants turn SCA from a compliance burden into a competitive advantage. The earlier they can do this, the more they will mitigate the risk from soft declines and improve their payment acceptance rates.
Adopting 3DS2 is the way to achieve this. 3DS2 enables SCA compliance by leveraging the exchange of over 100 data points between the merchant and the payer’s card issuer. This ‘risk-based authentication’ allows the card issuer to authenticate the payer without the need for additional information. If the data is insufficient for the card issuer to take a risk-based decision, a second factor of authentication, including one-time passwords (OTP), biometric authentication such as fingerprints or facial recognition, or a QR code for mobile applications can be invoked via 3DS2 to further assess that the transaction is genuine.