There are many reasons why a payment fails. One is the failure of the payer to authenticate their identity. This falls into the category known as ‘soft declines.’
Soft declines are considered temporary. In other words, the merchant can attempt the transaction again by submitting it through additional authentication protocols — like 3DS2 for card payments, which we discuss in this article — to obtain a positive authorization and process the payment successfully. A hard decline may still occur though for numerous reasons, such as stop payment orders or due to the card being reported lost or stolen.
Soft declines can be bad news for merchants. As we learned in our ‘Black Boxes and Paradoxes’ research report, the cost of false declines — a large number of which are soft declines — cost merchants in the UK, US, France and Germany as much as $20.3 billion a year. Of that, $7.6 billion was entirely written off. And all this after the merchant has sunk the marketing costs of nurturing the shopper to the point of purchase.
What’s worse many consumers who encounter false declines never return to that retailer again. And of that $20.3 billion merchants lost to false declines, $12.7 billion gets picked up by competitors.
With the arrival of Strong Customer Authentication (SCA) in the European Economic Area (EEA), there have been more stringent checks on a payer’s identity. As a result, there is a real risk consumers will encounter more soft declines when shopping online, especially for those transactions that require additional information from the payer. Merchants can limit the impact of soft declines on their business, however, by building the right fraud strategy for their unique business needs.
While some in the industry are fearful that 3DS2 will drive more consumer friction, we believe otherwise. 3DS2 is designed to the pain points created by the existing 3DS protocol and enable what we call a ‘frictionless flow’.
And merchants will be able to learn where soft declines are occurring, build robust SCA exception rules and optimize their payment flow to deliver a seamless but secure customer experience.
Time is running out for merchants, however. SCA is an EU regulation overseen by the European Banking Authority (EBA). But compliance with SCA is the responsibility of individual national regulators across the 30 countries it applies to (the 27 EU member states including the UK, plus the three members of the European Free Trade Association (EFTA) — Iceland, Liechtenstein and Norway.)
The EBA has given regulators until 31 December 2020 to implement SCA. (In the UK, the FCA has extended this to 14 March 2022.) But this is a deadline, not a start date. There is no uniform program for how implementation should proceed. Different countries are following slightly different timetables. Indeed, some regulators have been ramping up the application of SCA rules since the original deadline of September 2019.
So it’s important for merchants to understand the schedule for SCA adoption — and the likelihood of authentication-related soft declines — in each country they have customers.
*Pending the submission of a detailed migration plan to the regulator.
** The following countries have not stated whether they will apply SCA prior to December 31 2020; and if so when and how: Bulgaria, Croatia, Czech Republic, Estonia, Latvia, Liechtenstein, Romania, Slovakia
All information correct as of February 2021
Rather than keeping up with each national regulator, merchants should lead the way. Those that set their own timetable for SCA will win on two fronts. Firstly, presuming that the timetable is ambitious in both speed and coverage, merchants do not need to worry about how SCA and soft declines are being employed country by country.
Secondly, by offering their customers a more secure and consistent payment experience, merchants turn SCA from a compliance burden into a competitive advantage. The earlier they can do this, the more they will mitigate the risk from soft declines and improve their payment acceptance rates.
Adopting 3DS2 is the way to achieve this. 3DS2 enables SCA compliance by leveraging the exchange of over 100 data points between the merchant and the payer’s card issuer. This ‘risk-based authentication’ allows the card issuer to authenticate the payer without the need for additional information. If the data is insufficient for the card issuer to take a risk-based decision, a second factor of authentication, including one-time passwords (OTP), biometric authentication such as fingerprints or facial recognition, or a QR code for mobile applications can be invoked via 3DS2 to further assess that the transaction is genuine.