When should merchants prepare for soft declines with SCA?

Link to the author's page
Checkout.com
March 10, 2023
Link to the author's page
When should merchants prepare for soft declines with SCA?

There are many reasons why a payment fails. One is the failure of the payer to authenticate their identity. This falls into the category known as ‘soft declines.’

Soft declines are considered temporary. In other words, the merchant can attempt the transaction again by submitting it through additional authentication protocols — like 3DS2 for card payments, which we discuss in this article — to obtain a positive authorization and process the payment successfully. A hard decline may still occur though for numerous reasons, such as stop payment orders or due to the card being reported lost or stolen.

Find out more about Checkout.com's authentication solution.

Soft declines v hard declines

  • Hard declines happen when the customer’s card-issuing bank rejects the payment. Examples include attempting to use a card that has been reported as stolen or lost, or the card has expired. Hard declines are permanent, so the payment should not be retried.
  • Soft declines are temporary authorization failures. Around 80% to 90% of all declines fall into this category. They occur for a host of reasons including the need to authenticate the cardholder further because the purchase is unusual or there are issues with the technical infrastructures processing the payment. Soft declines are temporary, meaning merchants can process the transaction again meeting the requirements that led to the decline the first time around.

Learn more about the response codes you might see for hard and soft declines.

SCA and soft declines

Soft declines can be bad news for merchants. As we learned in our ‘Black Boxes and Paradoxes’ research report, the cost of false declines — a large number of which are soft declines — cost merchants in the UK, US, France and Germany as much as $20.3 billion a year. Of that, $7.6 billion was entirely written off. And all this after the merchant has sunk the marketing costs of nurturing the shopper to the point of purchase.

What’s worse many consumers who encounter false declines never return to that retailer again. And of that $20.3 billion merchants lost to false declines, $12.7 billion gets picked up by competitors.

With the arrival of Strong Customer Authentication (SCA) in the European Economic Area (EEA), there have been more stringent checks on a payer’s identity. As a result, there is a real risk consumers will encounter more soft declines when shopping online, especially for those transactions that require additional information from the payer. Merchants can limit the impact of soft declines on their business, however, by building the right fraud strategy for their unique business needs.

While some in the industry are fearful that 3DS2 will drive more consumer friction, we believe otherwise. 3DS2 is designed to the pain points created by the existing 3DS protocol and enable what we call a ‘frictionless flow’.

And merchants will be able to learn where soft declines are occurring, build robust SCA exception rules and optimize their payment flow to deliver a seamless but secure customer experience.

Check out our article on how to make SCA regulations work for your business to learn more.

Preparing for SCA, country by country

Time is running out for merchants, however. SCA is an EU regulation overseen by the European Banking Authority (EBA). But compliance with SCA is the responsibility of individual national regulators across the 30 countries it applies to (the 27 EU member states including the UK, plus the three members of the European Free Trade Association (EFTA) — Iceland, Liechtenstein and Norway.)

The EBA has given regulators until 31 December 2020 to implement SCA. (In the UK, the FCA  has extended this to 14 March 2022.) But this is a deadline, not a start date. There is no uniform program for how implementation should proceed. Different countries are following slightly different timetables. Indeed, some regulators have been ramping up the application of SCA rules since the original deadline of September 2019.

So it’s important for merchants to understand the schedule for SCA adoption — and the likelihood of authentication-related soft declines —  in each country they have customers.

SCA deadlines by country

Country Regulator SCA Deadline Additional Information
Austria FCA

31 December 2020

- From 15 January, 2021, soft declines applied on transactions above €250

- From 1 February, 2021, soft declines apply on transactions above €150

- From 15 March, 2021, issuers will apply soft declines for all non-compliant transactions.

For more information

Belgium National Bank of Belgium

31 December 2020

Soft declines for non-compliant transactions above €1,500 have been in place since 19 January 2021. This will be gradually lowered to all transactions by 18 March 2021.

- From 23 February, 2021, soft declines apply on transactions above €500

- From 23 March, 2021, soft declines apply on transactions above €250

- From 19 April, 2021, soft declines apply on transactions above €100

- And from 18 May, 2021, on all transactions

For more information
Cyprus Central Bank of Cyprus

31 December 2020*

For more information
Denmark FinantilSysNet

11 January 2021

FinantilSysNet will publish a detailed plan including operational milestones

For more information
Finland FIN-FSA

31 December 2020

Some soft declines are already being actioned

For more information
France Bank of

France

31 December 2020

Prior to 31 March 2021, soft declines will be applied in a phased approach, as follows:

- September to December 2020: soft declines applied to non-3D Secure transactions of more than €2000

- From 5 January, 2021: applied to non-secure transactions of €1000 and above

- From from mid-February, 2021: applied to non-secure transactions of €500 and above

- From 15 March: applied to non-secure transactions of €250 and above

- From 15 April: applied to non-secure transactions of €100 and above

- From 15 May: applied to all non-secure transactions

For more information

Germany BaFin

31 December 2020

- From 15 January, 2021: Soft decline of transactions more than €250

- From 15 February, 2021: Soft decline of transactions more than €150

- From 15 March, 2021: Soft decline of all transactions

For more information

Greece Bank of Greece

31 December 2020

For more information
Hungary MNB

31 December, 2020

For more information
Ireland Central Bank of Ireland

Full implementation on or before 1 July, 2021

- 1 March, 2021 to 31 March, 2021: Apply soft declines to all direct to authorisation transactions above €750

- 1 April, 2021 to 30 April, 2021: Apply soft declines to all direct to authorisation transactions above €500

- 1st May, 2021 to 31 May, 2021: Apply soft declines to all direct to authorisation transactions above €250

- 1st June, 2021 – 30 June, 2021: Apply soft declines to all direct to authorisation transactions above €150

- Full implementation on or before 1 July, 2021

For more information
Italy Banca D’Italia

31 December 2020*

The Bank of Italy 3-month ramp-up plan is based on the following milestones:

- 1 January, 2021: SCA to be enforced for transactions above €1,000

- 1 February, 2021: SCA to be enforced for transactions above €500

- 1 March, 2021: SCA to be enforced for transactions above €100

- 1 April, 2021: SCA to be enforced for all transactions

For more information

Lithuania Lietuvos Bankas

31 December 2020*

- 1 January, 2021: SCA to be enforced for transactions above €500

- 1 February, 2021: SCA to be enforced for transactions above €250

- 1 March, 2021: SCA to be enforced for transactions above €100

- 1 April, 2021: SCA to be enforced for all transactions

For more information

Luxembourg CSSF (Surveillance Commission of the Finance Sector)

31 December 2020*

For more information
Malta Central Bank of Malta

31 December 2020

For more information
The Netherlands DNB

31 December 2020

For more information
Norway Finanstilsynet

31 December 2020

Parties must actively request this deadline with Finanstilsynet

For more information
Poland KNF

31 December 2020*

For more information
Portugal Banco De Portugal

31 December 2020

For more information
Slovenia Banka Slovenije

31 December 2020

For more information
Spain Banco de España

31 December 2020

A phased roll out of soft declines will precede the deadline

15 January, 2021: SCA to be enforced for transactions above €250

1 February, 2021: SCA to be enforced for transactions above €30

1 March, 2021: SCA to be enforced for all transactions

For more information

Sweden Finansinspektionen

14 September 2019

Unlike most other countries, Sweden has enforced the original SCA deadline, and extensions are only being granted on a request-by-request basis

For more information
United Kingdom FCA

14 March 2022

For more infomation

*Pending the submission of a detailed migration plan to the regulator.

** The following countries have not stated whether they will apply SCA prior to December 31 2020; and if so when and how: Bulgaria, Croatia, Czech Republic, Estonia, Latvia, Liechtenstein, Romania, Slovakia

All information correct as of February 2021

Take control of your own compliance with 3DS2

Rather than keeping up with each national regulator, merchants should lead the way. Those that set their own timetable for SCA will win on two fronts. Firstly, presuming that the timetable is ambitious in both speed and coverage, merchants do not need to worry about how SCA and soft declines are being employed country by country.

Secondly, by offering their customers a more secure and consistent payment experience, merchants turn SCA from a compliance burden into a competitive advantage. The earlier they can do this, the more they will mitigate the risk from soft declines and improve their payment acceptance rates.

Adopting 3DS2 is the way to achieve this. 3DS2 enables SCA compliance by leveraging the exchange of over 100 data points between the merchant and the payer’s card issuer. This ‘risk-based authentication’ allows the card issuer to authenticate the payer without the need for additional information. If the data is insufficient for the card issuer to take a risk-based decision, a second factor of authentication, including one-time passwords (OTP), biometric authentication such as fingerprints or facial recognition, or a QR code for mobile applications can be invoked via 3DS2 to further assess that the transaction is genuine.

Contact us to find out how we're supporting the world's leading businesses to become compliant with SCA and how we can help you.

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button
March 10, 2023 10:00
March 10, 2023 10:00