New rules for Strong Customer Authentication (SCA) came into effect in most European countries during 2021. Part of this mandate has been to use 3DS to authenticate payments. Since the first version of this technology was created there have been continuous improvements that have started to align security concerns with those of customer friction.
In October 2022, the major schemes have announced, issuers and acquirers will be required to support the enhanced standard for securing online payments (EMV 3DS 2.2) in Europe. Businesses that want to stay ahead of the curve should start considering how it will impact their SCA strategy now.
How will the new standard allow businesses to secure more successful sales, with fewer declines and disputed payments? We explain the background to strong customer authentication and why the new, enhanced 3DS 2.2 version of the standard is a game-changer.
Authentication is the process of confirming whether someone is who they say they are. There are different ways to do this for remote shopping or banking transactions.
Typically, authentication factors rely on:
To increase the security of remote payments, the revised Payment Services Directive (PSD2) in Europe requires two or more factors for so-called strong customer authentication (SCA).
Since 31 December 2020, all electronic transactions processed in the European Economic Area (EEA) have been subject to SCA with only a few exceptions set out below. The UK has an SCA enforcement date of 14 March 2022 with UK banks already starting to soft-decline non-SCA compliant transactions.
Changes in lifestyle, shopping habits and technology are driving more and more remote sales. As such the 3DS standard originally released in the late 1990s has understandably evolved to keep up. 3DS 2.1 extended to mobile payments and alternative authentication methods and collects ten times more data to give a more accurate risk analysis.
The technology has evolved again with EMV 3DS 2.2, which now supports a more seamless checkout experience, as well as more intelligent risk-based decisioning and exemption handling.
EMV 3DS 2.2 is the new, enhanced version of the existing 3DS standard, owned by EMVCo, the global technical body for secure payment transactions.
By connecting the issuer, acquirer and card scheme (the three domains in the 3 Domain Secure protocol), 3DS gives consumers a way to directly authenticate themselves with their card issuer when shopping online. This additional layer of security helps prevent unauthorized use of cards, plus protects ecommerce businesses from exposure to certain types of disputed transactions.
Firstly, the new specification is optimized for many more types of devices – mobile, PC, Consoles and even digital television – as well as for in-app payment. So, say goodbye to clunky pop-up windows, particularly on the smaller screen of a mobile device, and hello to a more frictionless checkout flow.
Secondly, it’s now possible for merchants to pass more than 100 data elements to card issuers for more intelligent risk scoring. That’s up from the eight data points typically exchanged as part of a 3DS 1.0 authentication. This improves risk-based authentication, meaning that checkout is friction-free for most low-risk transactions from trusted customers.
CKO Explains: Hard declines vs Soft declines
Hard declines happen when the customer’s issuer rejects the payment. Examples include when the card is expired or reported as stolen. Hard declines are permanent, so the payment should not be retried.
Soft declines account for 80-90% of all declines. Usually, they occur when the issuer wants to authenticate their cardholder before authorizing payment.
Learn when to retry SCA-related soft-declines
All electronic transactions require SCA unless the transaction is out of scope or there’s an exemption applied.
The main out-of-scope scenarios for remote transactions include:
The four main exemptions to the SCA requirement for those selling online are:
To reiterate: SCA is not required for transactions that are out of scope or exempt. But these transactions must be correctly flagged in the authorization message to reduce the chance of issuers soft declining them.
3DS 2.2 supports this frictionless flow, so businesses accepting online payments are advised to work with their acquirers to develop an exemption strategy that fits their circumstances.
Also, keep in mind that issuers have the final say about whether to apply SCA. There are things that only they can know or do. For example, understanding the customer’s typical spending patterns or which merchants are listed as trusted beneficiaries.
If issuers are suspicious about a transaction, they can always request a step-up or challenge authentication via 3DS, even if it’s been flagged as out of scope or exempt from SCA.
To turn SCA regulations into a competitive advantage by:
Similarly, assess the impact of SCA on customer journeys and processes to maximize the use of exemptions for a frictionless checkout flow. If you’re uncertain whether any of your use cases qualify for exemptions, please contact our payment experts.
Lastly, determine a fraud strategy that reflects your business model. You’ve probably invested heavily in fraud detection and risk management tools over the years. 3DS 2.2 enables your business to leverage that investment.
There’s a balance to be struck between minimizing fraud losses and operational costs, optimizing the customer experience and maximizing revenue. No one says this is easy. But the good news is there is no one right way to balance these factors or devise an exemption strategy. Each business can tailor and tweak their approach depending on their own circumstances for competitive advantage.