On September 14, 2019, Strong Customer Authentication (SCA) went into effect across Europe as a part of the PSD2 regulation that aims to make electronic payments more secure by adding extra layers of authentication. While the European Banking Authority (EBA) issued a push back on the rollout schedule to next year, acknowledging adoption and implementation complexities, it’s important for businesses to start preparing now.
So what is the impact on U.S. businesses?
While the regulation has been a hot topic in the European payments industry in the last couple of years, it will soon impact North America and Latin America as issuers aim to standardize security measures across the globe.
Perhaps the biggest and most immediate impact on U.S. merchants will be the predicted uptick in fraud incidents. Once SCA is implemented in Europe, fraudsters may be inclined to target businesses outside the European Economic Area (EEA), including those in the U.S. For example, once the regulation is fully enforced in Europe, fraudsters can no longer test cards on European merchants, leaving U.S. companies vulnerable to test cases and fraud attacks.
As it relates to American businesses, the Strong Customer Authentication (SCA) mandate applies to merchants doing business in the EEA. For now, SCA mandates are relevant to U.S. merchants that meet the following criteria:
- U.S. entity only but receiving EU traffic and customers
If a good portion of traffic is coming from Europe, merchants may want to consider setting up an EU entity. Setting up domestic processing with a provider like Checkout.com will minimize cross border costs and will ensure automatic SCA-compliance in Europe – saving costs and boosting authorization rates.
- U.S. business looking to expand into the EU
Thinking about expanding into the European market? Businesses will need to comply with PSD2 regulations and SCA. This will require building a different user flow from the U.S. flow. This makes it critical to put into place transition plans and find the right partners to account for design and user flow testing.
- U.S. headquartered but have entity(ies) in the EU
In this scenario, a company’s European entities must be SCA compliant. If transactions are not SCA ready, businesses may begin to see declines in authorization rates and may already be at risk of declined payments from the issuers. For enterprise merchants, dedicated payments team should be working with a provider that is fully compliant with turnkey solutions like Checkout.com’s Unified Payments API. As an added bonus, using Checkout.com’s API will help minimize integration work down the road as SCA mandates roll out into other regions including Asia and Latin America next year, saving merchants additional resources and time if they operate or are planning to open entities in those regions.
3DS Adoption in the U.S.
While 3D secure authentication measures have existed in the U.S. since 2001, adoption rates were exceptionally low for several reasons. It was not user-friendly and did not adequately predict the proliferation of mobile usage or the popularity of ecommerce, making it ineffective in protecting today’s consumers. For context, 3DS1 was developed before the first iPhone was launched in 2007 – by 2017, only 18% of US-based transactions leveraged 3DS.
One major attraction of 3DS2 is the liability shift for fraudulent chargebacks to card issuers. Each card scheme will have their own set of “rules” so be sure to check with your acquiring bank on where and how liability shift will be applied.
What happens if a merchant is not ready?
Schemes are tentatively scheduled to roll out full authentication protocols in Eastern Europe, Asia Pacific, the Middle East early 2020 and in the U.S. by mid-2020. This means all businesses in the U.S. will have to be SCA ready in order to successfully process electronic payments in those regions as well as for their domestic customers.
While the deadline for SCA compliance was September 14, recent changes in the guidance provided by the European Banking Authority (EBA) suggested an 18-month ‘soft-enforcement’ period across all EEA countries, with a few exceptions. Given that not all EEA issuers are not fully ready to apply SCA or use an SCA-compliant solution, merchants should rely on 3DS1 until issuers actively use 3DS2, when possible. While a 3DS2 Attempt response is technically correct, it can give false merchant fraud liability protection and this causes issuers to decline 3DS2 Attempt transactions in the authorization flow.
While the U.S. is not scheduled for SCA enforcement until next year, businesses need to be prepared since issuer enforcement will be on individual timelines – in short, merchants should aim to be ready as early as possible, ideally before the issuers are, in order to ensure uninterrupted service. Interruptions in service could include declined payments, abandoned transactions, and downgrades if your checkout flow is not compliant with the new regulation. By preparing your flow appropriately for all operating regions, customers will have a smooth checkout experience wherever they are, thus mitigating lost sales while also minimizing the risk of decreased authorization rates.
Setting up for success
U.S. businesses should take full advantage of this lead time with research and implementation plans. One major item is to ensure that your payment service provider is SCA-compliant and has proper 3DS2 tools already in place. Checkout.com’s 3DS2 hosted solution complies with these regulations and is designed for easy set up for both US-based business and its European operations.
Merchants can also take advantage of Checkout.com’s Sandbox environment which offers a sophisticated platform simulation to test any 3DS2 authentication and related payment scenarios.
By understanding the requirements early, merchants will also be better prepared to apply and identify as many SCA exemptions as possible like low-value, low-risk, and trusted beneficiaries. By applying exemptions, businesses will benefit with higher approval rates and can preserve the user experience by reducing unnecessary stoppage points.
Checkout.com’s Unified Payments API tool also gives merchants a way to future-proof their payment infrastructure by facilitating the addition of more alternative payment methods to their checkout – without any additional development or integration work. With SCA-compliance already built into the API, merchants will automatically be ready once the regulation is fully enforced.
To get set up with Checkout.com’s Unified Payments API or to learn more about our 3DS2 hosted solution get in touch with our sales team today.