When should merchants prepare for soft declines with SCA?

There are many reasons why a payment fails. One is the failure of the payer to authenticate their identity. This falls into the category known as ‘soft declines.’

Soft declines are considered temporary. In other words, the merchant can attempt the transaction again by submitting it through additional authentication protocols — like 3DS2 for card payments, which we discuss in this article — to obtain a positive authorization and process the payment successfully. A hard decline may still occur though for numerous reasons, such as stop payment orders or due to the card being reported lost or stolen.

Find out more about Checkout.com's authentication solution.

Soft declines v hard declines

• Hard declines happen when the customer’s card-issuing bank rejects the payment. Examples include attempting to use a card that has been reported as stolen or lost, or the card has expired. Hard declines are permanent, so the payment should not be retried.
• Soft declines are temporary authorization failures. Around 80% to 90% of all declines fall into this category. They occur for a host of reasons including the need to authenticate the cardholder further because the purchase is unusual or there are issues with the technical infrastructures processing the payment. Soft declines are temporary, meaning merchants can process the transaction again meeting the requirements that led to the decline the first time around.

Learn more about the response codes you might see for hard and soft declines.

SCA and soft declines

Soft declines can be bad news for merchants. As we learned in our ‘Black Boxes and Paradoxes’ research report, the cost of false declines — a large number of which are soft declines — cost merchants in the UK, US, France and Germany as much as $20.3 billion a year. Of that, $7.6 billion was entirely written off. And all this after the merchant has sunk the marketing costs of nurturing the shopper to the point of purchase.

What’s worse many consumers who encounter false declines never return to that retailer again. And of that $20.3 billion merchants lost to false declines, $12.7 billion gets picked up by competitors.

With the arrival of Strong Customer Authentication (SCA) in the European Economic Area (EEA), there have been more stringent checks on a payer’s identity. As a result, there is a real risk consumers will encounter more soft declines when shopping online, especially for those transactions that require additional information from the payer. Merchants can limit the impact of soft declines on their business, however, by building the right fraud strategy for their unique business needs.

While some in the industry are fearful that 3DS2 will drive more consumer friction, we believe otherwise. 3DS2 is designed to the pain points created by the existing 3DS protocol and enable what we call a ‘frictionless flow’.

And merchants will be able to learn where soft declines are occurring, build robust SCA exception rules and optimize their payment flow to deliver a seamless but secure customer experience.

Check out our article on how to make SCA regulations work for your business to learn more.

Preparing for SCA, country by country

Time is running out for merchants, however. SCA is an EU regulation overseen by the European Banking Authority (EBA). But compliance with SCA is the responsibility of individual national regulators across the 30 countries it applies to (the 27 EU member states including the UK, plus the three members of the European Free Trade Association (EFTA) — Iceland, Liechtenstein and Norway.)

The EBA has given regulators until 31 December 2020 to implement SCA. (In the UK, the FCA  has extended this to 14 March 2022.) But this is a deadline, not a start date. There is no uniform program for how implementation should proceed. Different countries are following slightly different timetables. Indeed, some regulators have been ramping up the application of SCA rules since the original deadline of September 2019.

So it’s important for merchants to understand the schedule for SCA adoption — and the likelihood of authentication-related soft declines —  in each country they have customers.

SCA deadlines by country

^*Pending the submission of a detailed migration plan to the regulator.

^** The following countries have not stated whether they will apply SCA prior to December 31 2020; and if so when and how: Bulgaria, Croatia, Czech Republic, Estonia, Latvia, Liechtenstein, Romania, Slovakia

All information correct as of February 2021

Take control of your own compliance with 3DS2

Rather than keeping up with each national regulator, merchants should lead the way. Those that set their own timetable for SCA will win on two fronts. Firstly, presuming that the timetable is ambitious in both speed and coverage, merchants do not need to worry about how SCA and soft declines are being employed country by country.

Secondly, by offering their customers a more secure and consistent payment experience, merchants turn SCA from a compliance burden into a competitive advantage. The earlier they can do this, the more they will mitigate the risk from soft declines and improve their payment acceptance rates.

Adopting 3DS2 is the way to achieve this. 3DS2 enables SCA compliance by leveraging the exchange of over 100 data points between the merchant and the payer’s card issuer. This ‘risk-based authentication’ allows the card issuer to authenticate the payer without the need for additional information. If the data is insufficient for the card issuer to take a risk-based decision, a second factor of authentication, including one-time passwords (OTP), biometric authentication such as fingerprints or facial recognition, or a QR code for mobile applications can be invoked via 3DS2 to further assess that the transaction is genuine.

Contact us to find out how we're supporting the world's leading businesses to become compliant with SCA and how we can help you.