The early impact of Strong Customer Authentication on payments across Europe
Strong Customer Authentication (SCA) rules came into force across the European Economic Area (EEA) on 31 December 2020. The rules, which change how customers confirm their identity when making purchases online, are designed to reduce fraud and enhance the integrity of the overall payments ecosystem.
But for merchants — and the industry as a whole — there was a degree of trepidation about the impact SCA enforcement would have on their payment performance. Some reports suggested that SCA measures could block one-third of European transactions, with the cost to merchants in excess of €100 Billion.
That level of disruption hasn’t come to pass. SCA enforcement has thus far been smooth with no widespread market disruptions in the first few weeks. This is due mainly to many EEA markets implementing SCA with some flexibility — either using soft decline ramp-up strategies or not enforcing reporting SCA compliance to the national competent authorities.
Overall, transaction approval rate indicators are mostly consistent with last year. And while there is a slight uptick in abandonment rates in some markets, this is typically the result of changes made in late 2020 by issuers to their SCA methods or changes in the cardholder SCA experience.
Let’s take a closer look at the key performance indicators.
3DS2 volumes increase with little disruption reported
As expected, there is an increase in volumes flowing through 3DS2 and a decrease in volumes flowing through 3DS1. This is as the approvals rates for 3DS2 improve and more EEA issuers upgrade to the new protocol.
| Issuing Country | 3DS 2.X | Authentication Approval | Authentication Decline | Authentication Abandon | Authorization Decline |
| Great Britain | 94% | 97.2% | 1% | 1.8% | 99.1% |
| Germany | 94% | 76.5% | 9.5% | 13.9% | 97.7% |
| France | 89% | 82.5% | 6.2% | 11.4% | 97.9% |
| Italy | 38% | 65.1% | 24.6% | 10.2% | 82.9% |
| Spain | 74% | 62.5% | 12% | 25.4% | 97.8% |
| Sweden | 78% | 75.6% | 13.2% | 11.2% | 92.9% |
| Denmark | 99% | 76.7% | 10.2% | 13.1% | 98.3% |
| Finland | 92% | 79.2% | 8.2% | 12.5% | 98.6% |
| Norway | 97% | 75.1% | 9.1% | 15.8% | 95.6% |
| Austria | 95% | 67.1% | 16.8% | 16.1% | 94.5% |
| Belgium | 97% | 84.2% | 4.2% | 11.6% | 95.3% |
| Ireland | 97% | 76.2% | 13.2% | 10.6% | 93.3% |
| Netherlands | 81% | 79.7% | 6.6% | 13.7% | 97.5% |
| Poland | 70% | 61.8% | 11.1% | 27.1% | 91.8% |
| Portugal | 83% | 87.8% | 3.7% | 8.5% | 96.7% |
| Total | 89.8% | 87.2% | 4.5% | 8.3% | 98.1% |
Source: Amazon data presented on Monthly SCA Workshop 21 January 2021, European Payment Institutions Federation (EPIF)
The monthly data — as of 21 January 2021 — shows that 89.8% of the issuers in Europe are supporting 3DS2 authentication. This is despite the fact that there was a temporary issue in Italy. Overall, the 3DS2 authentication approval rate averaged around 87.2%.
The significant incidents reported were mostly due to the incorrect usage of soft declines for merchant-initiated transactions (MITs) and systematic declines for 3DS2 attempted transactions. The card schemes are actively working with the issuers who need to correct their systems and soft decline logic.
Soft declines are increasing as expected during the ramp-up period
The data provided by Mastercard shows that soft declines increased as expected across Europe in the first two weeks of January. The percentage of soft declines is especially high in those countries with little official guidance or flexibility around the interpretation of rules during the ramp-up period.
Source: PSD2 RTS Readiness Status and Heightened Awareness Update, Mastercard 15 January 2021
Some issuers are soft declining some transactions that are fully authenticated by their Access Control Server (ACS). This is incorrect behavior and issuers will need to align with their ACS provider to resolve the issue. The data also highlights that some frictionless authentication attempts are being soft declined. In an effort to resolve this, Mastercard has announced a set of guidelines specifying when issuers may and may not soft decline transactions.
Source: PSD2 RTS Readiness Status and Heightened Awareness Update, Mastercard, 22 January 2021
We see a high percentage of outage exemptions (resilience indicator) being soft declined. This is expected behavior as most EEA issuers are not ready to accept this exemption.
Soft decline resubmissions are increasing rapidly
Overall the average retry rate through the first weeks of January was 14% — although the number is increasing. The focus for most merchants in the coming months will be learning how to improve the handling of soft declines and continue to leverage exemptions.
Source: PSD2 RTS Readiness Status and Heightened Awareness Update, Mastercard, 22 January 2021
Over 90% of European issuers have completed upgrades to 3DS2
By mid-January, over 90% of European issuers had completed their upgrades to 3DS2. The enrollment of BIN portfolios and card rangers continues and as the charts show, progress is uneven and varies from market to market.
Source: Visa Heightened Monitoring Call, January 2021
Source: Visa Heightened Monitoring Call, January 2021
In-app flow penetration and performance are improving
In-app flow penetration and performance are improving. And in the first few weeks of January, the split between in-app and browser authentication was 18% and browser 82% respectively. Issuers are also increasingly willing to work with merchants to improve the cardholder experience and ease of SCA completion in the merchant app.
Source: PSD2 RTS Readiness Status and Heightened Awareness Update, Mastercard, 22 January 2021
Early lessons learned from SCA enforcement across Europe and next steps
Overall, the early signs are that the SCA rules are achieving their core objectives of reducing fraud. All card schemes have reported a reduction in fraudulent activity in the first few weeks of the year. And it’s encouraging to see this happening with minimum impact on merchant payment performance.
We’ve seen that all issuers approach their SCA implementation differently, with some issuers taking a softer approach than others. This varied approach was anticipated and is especially evident in those markets that offer no official flexibility around SCA’s enforcement.
Certain issuers are behaving differently within individual markets, also. Merchants should work to understand and handle soft declines and implement flexible SCA rules to avoid any unnecessary customer impacts.
Another key learning is that late changes in the challenge flow or introducing new SCA methods confused cardholders. In these cases, cardholders are likely to take longer adopting SCA, which is why we see an increase in abandonment rates in some markets.
Although the SCA implementation is inconsistent across the EEA and some markets perform better than others, there has been no change in course or universal soft decline ramp-up strategies. Many markets also confirm full SCA enforcement.
These are still early days, of course, and merchants must stay informed about the evolution of SCA in the key markets they operate to avoid any unwanted disruption. Industry-wide meetings with key member states and card scheme representatives will continue to discuss the SCA implementation and overall readiness across the EEA.
The industry meetings will remain monthly throughout the year. We encourage you to raise any issues or concerns you wish to report to the industry forums via our Customer Success Managers.