SCA or Strong Customer Authentication Would you like to improve you conversion rate under SCA?
Read on to learn all you can about how adapt to the new SCA
and make your business results improve in the process!

How to improve your conversion rate in the new SCA environment?

Do you want to increase your conversion rate after applying the new SCA guidelines? These are a few recommendations that will help you go in the right direction:

  • Ask cardholders for whitelisting (PayXpert payment page, merchant’s website pages or merchant’s payment page -provided the merchant is not already using PayXpert’s Payment Page)
  • Request to be included in Visa and MasterCard whitelists
  • Send more information in transaction fields to receive issuers exemption from-SCA (Issuer TRA):

    For an optimized frictionless payment process, here is a non-exhaustive list of the fields that really might help the scoring (apart for compulsory fields):

    • Billing address (town, country, number…)
    • Delivery address (town, country, number)
    • Merchant fraud score (if you have one)
    • E-mail address
    • Phone number
    • Name of the payer
    • useragent (IP, OS, version, resolution, language etc)
    • IP address

FAQs About the SCA implementation

For more information and updates about the enforcement of PSD2, refer to:

Although we anticipate a phased and fragmented enforcement of SCA across Europe, SCA-impacted PayXpert users should prepare their payment flows to be SCA-ready as soon as possible. This will help prevent an increase in declines from European cards, or in case of an early enforcement by select banks. Read more about how enforcement varies by country.

Your integration is SCA-ready when all of your payments volume is processed using SCA-ready products.

    • Your business must use an SCA-ready product, such as the new version of PayXpert Checkout, Hosted Payment Page, Billing, Payment API, or an SCA-ready partner solution.
    • Test 3D Secure authentication thoroughly. Use our regulatory test cards to ensure that your integration can handle 3D Secure.
    • For off-session payments, make sure you set up and authenticate the card when saving the payment method, and off-session payments are flagged as off-session via the API.
    • If your business uses PayXpert Billing’s Subscriptions or Invoice APIs, ensure your integration can handle incomplete statuses.

If you notice in the Dashboard that your payments are not advancing past the incomplete status (requires_action in the API), consider:

    • If this is an on-session payment, this may be expected. Your customer might be in the process of authenticating or they may have abandoned the checkout flow.
    • Make sure you are handling required actions on the client side.
    • If this is an off-session payment, this is not expected. You should be setting off_session to true when creating the payment.

For off-session payments, visit your Dashboard and filter by failed payments. Hovering over the status badge will highlight the decline reason (e.g., authentication required). On-session payments can be viewed by applying the incomplete payments filter and seeing if the payment is incomplete since authentication is required.

For off-session payments, make sure that you are authenticating the card when saving card details, either without a payment or during a payment. When saving cards without a payment, use the Setup Intents API and set usage to off_session. When saving cards during a payment, set setup_future_usage to off_session. Finally, note that exemptions are not guaranteed and off-session payments may still require authentication by the bank.

You can view a list of common SCA-ready PayXpert plugins here. If you don’t see the plugin your business uses here, visit the SCA Updates section of the Dashboard for more detailed guidance.

Payments that have been successfully authenticated using 3D Secure are covered by a liability shift. Should a 3D Secure payment be disputed as fraudulent by the cardholder, the liability shifts from you to the card issuer. If exemptions are applied, the payment is not authenticated through 3D Secure, and is therefore not covered by a liability shift.

When you set up your payment flow to properly save a card with the Payment Intents or Setup Intents API, PayXpert marks any subsequent off-session payment as a merchant-initiated transaction (MIT) to reduce the need to authenticate. Merchant-initiated transactions require an agreement (also known as a mandate) between you and your customer. Add terms to your website or application on how you plan to process payments that your customer can opt into.

At a minimum, ensure that your terms cover the following:

    • The customer’s permission to you initiating a payment or a series of payments on their behalf
    • The anticipated frequency of payments (i.e., one-time or recurring)
    • How the payment amount will be determined

Add text in your checkout flow that references the terms of the payment, for example:

"I authorize [your business name] to send instructions to the financial institution that issued my card to take payments from my card account in accordance with the terms of my agreement with you."

There are a limited number of exemptions for SCA, with the most common expected to be:

  • Low-risk transactions, where the fraud rate of the card provider and bank are both below expected levels proportionate to the transaction
  • Low-value transactions (payments under €30)
  • Fixed-rate subscriptions (online streaming services where price doesn’t change)
  • Merchant-initiated transactions (delayed payments, add-on billing)

In these cases, additional authentication won’t be required. Yet the issue for retailers is that not all banks will have systems in place to approve all of these exemptions by 14 September. Even after that date, exemptions may be granted inconsistently between banks. This means that retailers must build payment flows that assume exemptions won’t be granted, requiring full authorisation by the customer.

Card information saved before 14 September is to be grandfathered in and considered authenticated. For retailers such as Amazon, the customer will be logged into the site when trying to use the card so, depending on how 3DS2 is implemented by their payment processor, re-authentication of a saved card can be done without requiring re-entry of card information.

It’s a little different for subscriptions where the card is being charged without the user present (online newspapers, streaming video services etc). There should be no need for re-authorisation at each billing period. If the price of the subscription changes, the bank will evaluate the risk of the transaction (cardholder history, retailer history, bank’s own fraud rate) and may choose to ask for additional authentication, or may allow the transaction to be exempted from SCA.

The major challenge for retailers is that responses from different banks to the same types of transactions are likely to be inconsistent. The critical task is building payment flows in a resilient way, to expect authentication challenges at all stages of transaction processing.

Unlike most things Brexit-related, with SCA there is certainty. The regulation is expected to be enforced in the UK, regardless of if, when or how Brexit ultimately happens. In fact, the UK’s Financial Conduct Authority (FCA) recently added some more clarity to the current situation. It has adopted the recommendations of UK Finance (a banking and financial services trade group) on enforcement.

Highlighting concerns around consumer awareness as well as merchant and issuer readiness, UK Finance made the case for a phased roll-out, rather than the ‘big bang’ approach we saw with  GDPR, for example. This could be summarised simply as no change for six months, followed by baby steps.

That this proposal was accepted means there’s a window of 18 months in which SCA will be on the books but at varying levels of implementation and enforcement in the UK.

The Irish Central Bank has mentioned a “limited mitigation period”, with several other EU authorities making similar noises, but the FCA is the first to put some date-related meat on the bones of the delay.

Before you proceed, we recommend that you use this checklist to track your PSD2 compliance progress.

Aspects to considerAction that you need to take
Your technical implementationMake sure that you are ready to support both 3D Secure 1 and 3D Secure 2. See 3D Secure implementation options.
Your business modelIf you are using an API integration, check if your transactions require SCA and submit the correct parameters in your API request.
Your strategy for managing SCA compliance

Decide on how you want to manage SCA compliance for your transactions. Your options are to:

  1. Do nothing and let us handle your SCA compliance. Our Authentication Engine will automatically trigger 3D Secure (1 or 2) if a transaction is in scope of PSD2 and SCA is mandated. We expect issuers to soft-decline unauthenticated transactions more as the transition period continues in 2020 and 2021. For more information on how different countries and issuers plan to handle PSD2 SCA compliance, refer to our Support guide.
  2. Use Dynamic 3D Secure to configure additional conditions when to trigger 3D Secure. For example, configure rules for transactions you deem as high risk. If you are already using Dynamic 3D Secure, check your current rules to ensure that 3D Secure will be triggered for all transactions with an SCA mandate.
  3. Submit your 3D Secure preference per transaction in your API request. If you choose this option, this will override our default PSD2 compliance handling logic. We recommend to use the API fields only if you have an extensive knowledge of PSD2 SCA regulations and the 3D Secure protocol.

The PSD2 mandate is for banks, not for merchants. This means that issuing banks that approve non-compliant transactions are violating the law in their home country.

Issuing banks implement protocols to comply with PSD2 SCA regulations. You as a merchant should ensure that your transactions are compliant to avoid the risk of issuing banks refusing your transactions, leading to lower authorisation rates.

In order to raise the conversion rates, we recommend merchants to collect information for all fields marked as Required, and pass it into the gateway. Usage of Optional fields will improve conversion rate even more, and will allow merchants to get more Issuer  approvals.

  1. TRANSACTIONAL AND CHECKOUT PAGE INFORMATION

Data Element

emvco – required

emvco – optional

3DS Challenge Indicator

 X

3DS Method Completion Indicator

X 

3DS Requestor Authentication Indicator

X 

3DS Requestor ID

  

3DS Requestor Name

 X

3DS Requestor URL

X 

3DS Server Operator ID

X 

3DS Server Reference Number

X 

3DS Server Transaction ID

X 

3DS Server URL

X 

3RI Indicator

 X

Account Type

 X

Acquirer BIN

X 

Acquirer Merchant ID

X 

Address Match Indicator

 X

Broadcast Information

 X

Browser Accept Headers

X 

Browser IP Address

 X

Browser Java Enabled

X 

Rrowser Language

X 

Browser Screen Color Depth

X 

Browser Screen Height

X 

Browser Screen Width

X 

Browser Time Zone

X 

Browser User-Agent

X 

Card/Token Expiry Date

X 

Cardholder Account Identifier

 X

Cardholder Account Number

X 

Cardholder Address Country

 X

Cardholder Billing Address City

X 

Cardholder Billing Address Country

X 

Cardholder Billing Address Line 1

X 

Cardholder Billing Address Line 2

X 

Cardholder Billing Address Line 3

X 

Cardholder Billing Address Postcal Code

X 

Cardholder Billing Address State

X 

Cardholder Email Address

X 

Cardholder Home Phone Number

 X

Cardholder Mobile Phone Number

 X

Cardholder Name

X 

Cardholder Shipping Address City

 X

Cardholder Shipping Address Line 1

 X

Cardholder Shipping Address Line 2

 X

Cardholder Shipping Address Line 3

 X

Cardholder Shipping Address Postal Code

 X

Cardholder Shipping Address State

 X

Cardholder Work Phone Number

 X

Device Channel

X 

EMV Payment Token Indicator

 X

Installment Payment Data

  

Merchant Category Code

X 

Merchant Country Code

X 

Merchant Name

X 

Message Category

X 

Message Extension

 X

Message Type

X 

Message Version Number

X 

Notification URL

X 

Purchase Amount

X 

Purchase Currency

X 

Purchase Currency Exponent

X 

Purchase Date & Time

X 

Transaction Type

X 
  1. 3DS REQUESTOR AUTHENTICATION INFORMATION

Data Element

emvco – required

emvco – optional

3DS Requestor Authentication Method

X 

3DS Requestor Authentication Timestamp

 X
  1. 3DS REQUESTOR AUTHENTICATION INFORMATION

Data Element

emvco – required

emvco – optional

3DS Requestor Prior Transaction Reference

 X

3DS Requestor Prior Transaction Authentication Method

 X

3DS Requestor Prior Transaction Authentication Timestamp

 X

3DS Requestor Prior Transaction Authentication Data

 X
  1. MERCHANT RISK INDICATOR

Data Element

emvco – required

emvco – optional

Shipping Indicator

 X

Delivery Timeframe

 X

Delivery Email Address

 X

Reorder Items Indicator

 X

Pre-Order Purchase Indicator

 X

Pre-Order Date

 X

Gift Card Amount

 X

Gift Card Currency

 X

Gift Card Count

 X
  1. CARDHOLDER ACCOUNT INFORMATION

Data Element

emvco – required

emvco – optional

Cardholder Account Age Indicator

 X

Cardholder Account Date

 X

Cardholder Account Change Indicator

 X

Cardholder Account Change

 X

Cardholder Account Password Change Indicator

 X

Cardholder Account Password Change

 X

Shipping Address Usage Indicator

 X

Number of Transactions Day

 X

Number of Transactions Year

 X

Number of Provisioning Attempts Day

 X

Cardholder Account Purchase Count

 X

Suspicious Account Activity

 X

Shipping Name Indicator

 X

Payment Account Age Indicator

 X

Payment Account Age

 X

Cardholder Account Identifier

 X

Authentication Method

 X

Authentication Timestamp

 X

Cardholder Account Date

 X

Shipping Address Usage

 X

Transactions outside the scope of SCA:

business, lady, woman

WE ARE HERE TO HELP
LET’S TALK!

Our Account managers will support you in the process of integrating Digital Payments Solutions to allow the best experience to your future Customers.


    I confirm I have read the Privacy Policy*.

    According to the EU GDPR 2016/67, we inform you that your data will be processed by PayXpert LTD (“PayXpert”), with registration number 09647756. You can freely and voluntarily provide the information requested in the form except for the fields that appear as mandatory. The non-introduction of the information requested as mandatory may have the consequence that your request can not be addressed. This information has the purpose of managing your request and/or complaints raised before it for which you are giving your explicit consent. We inform you that you may exercise your rights of access, rectification, erasure, object, portability, restriction in processing and to be forgotten by contacting PayXpert at gdpr (at) payxpert. com.

    Let's talk about payments!

    Scroll to Top