Strong Customer Authentication (SCA)

For more information and updates about the enforcement of PSD2, refer to:

• When will PSD2/SCA be enforced?
• 3DS v2 information

Your integration is SCA-ready when all of your payments volume is processed using SCA-ready products.

• • Your business must use an SCA-ready product, such as the new version of PayXpert Checkout, Hosted Payment Page, Billing, Payment API, or an SCA-ready partner solution.
  • Test 3D Secure authentication thoroughly. Use our regulatory test cards to ensure that your integration can handle 3D Secure.
  • For off-session payments, make sure you set up and authenticate the card when saving the payment method, and off-session payments are flagged as off-session via the API.
  • If your business uses PayXpert Billing’s Subscriptions or Invoice APIs, ensure your integration can handle incomplete statuses.

If you notice in the Dashboard that your payments are not advancing past the incomplete status (requires_action in the API), consider:

• • If this is an on-session payment, this may be expected. Your customer might be in the process of authenticating or they may have abandoned the checkout flow.
  • Make sure you are handling required actions on the client side.
  • If this is an off-session payment, this is not expected. You should be setting off_session to true when creating the payment.

For off-session payments, visit your Dashboard and filter by failed payments. Hovering over the status badge will highlight the decline reason (e.g., authentication required). On-session payments can be viewed by applying the incomplete payments filter and seeing if the payment is incomplete since authentication is required.

For off-session payments, make sure that you are authenticating the card when saving card details, either without a payment or during a payment. When saving cards without a payment, use the Setup Intents API and set usage to off_session. When saving cards during a payment, set setup_future_usage to off_session. Finally, note that exemptions are not guaranteed and off-session payments may still require authentication by the bank.

You can view a list of common SCA-ready PayXpert plugins here. If you don’t see the plugin your business uses here, visit the SCA Updates section of the Dashboard for more detailed guidance.

Payments that have been successfully authenticated using 3D Secure are covered by a liability shift. Should a 3D Secure payment be disputed as fraudulent by the cardholder, the liability shifts from you to the card issuer. If exemptions are applied, the payment is not authenticated through 3D Secure, and is therefore not covered by a liability shift.

When you set up your payment flow to properly save a card with the Payment Intents or Setup Intents API, PayXpert marks any subsequent off-session payment as a merchant-initiated transaction (MIT) to reduce the need to authenticate. Merchant-initiated transactions require an agreement (also known as a mandate) between you and your customer. Add terms to your website or application on how you plan to process payments that your customer can opt into.

At a minimum, ensure that your terms cover the following:

• • The customer’s permission to you initiating a payment or a series of payments on their behalf
  • The anticipated frequency of payments (i.e., one-time or recurring)
  • How the payment amount will be determined

Add text in your checkout flow that references the terms of the payment, for example:

"I authorize [your business name] to send instructions to the financial institution that issued my card to take payments from my card account in accordance with the terms of my agreement with you."

There are a limited number of exemptions for SCA, with the most common expected to be:

• Low-risk transactions, where the fraud rate of the card provider and bank are both below expected levels proportionate to the transaction
• Low-value transactions (payments under €30)
• Fixed-rate subscriptions (online streaming services where price doesn’t change)
• Merchant-initiated transactions (delayed payments, add-on billing)

In these cases, additional authentication won’t be required. Yet the issue for retailers is that not all banks will have systems in place to approve all of these exemptions by 14 September. Even after that date, exemptions may be granted inconsistently between banks. This means that retailers must build payment flows that assume exemptions won’t be granted, requiring full authorisation by the customer.

Card information saved before 14 September is to be grandfathered in and considered authenticated. For retailers such as Amazon, the customer will be logged into the site when trying to use the card so, depending on how 3DS2 is implemented by their payment processor, re-authentication of a saved card can be done without requiring re-entry of card information.

It’s a little different for subscriptions where the card is being charged without the user present (online newspapers, streaming video services etc). There should be no need for re-authorisation at each billing period. If the price of the subscription changes, the bank will evaluate the risk of the transaction (cardholder history, retailer history, bank’s own fraud rate) and may choose to ask for additional authentication, or may allow the transaction to be exempted from SCA.

The major challenge for retailers is that responses from different banks to the same types of transactions are likely to be inconsistent. The critical task is building payment flows in a resilient way, to expect authentication challenges at all stages of transaction processing.

According to the PSD2 SCA rollout update, the Financial Conduct Authority (FCA) has extended the deadline for implementing Strong Customer Authentication (SCA) for e-commerce transactions to 14 March 2022. This further 6-month extension is to ensure minimal disruption to merchants and consumers and recognises ongoing challenges facing the industry to be ready by the previous 14 September 2021 deadline. The new 14 March 2022 deadline is the latest the FCA expects full SCA compliance for e-commerce transactions.

The SCA is seen as a solution that protects consumers while minimising the potential for disruption to customers and merchants, and the FCA still expects firms to continue to take robust action to reduce the risk of fraud. What firms with e-commerce customers should do:
To ensure readiness by 14 March 2022,  PayXpert encourages and supports all merchants to engage with wider industry efforts to implement the SCA, while taking appropriate steps to manage the fraud risk.

Merchants that aren’t able to fully comply with anti-fraud requirements risk their customers’ online transactions being declined. 

The FCA expects firms to take all necessary steps to support merchants, monitor merchants’ readiness and progress, and continue to explain the consequences of not being ready.

To learn more about the FCA communication: https://www.fca.org.uk/firms/strong-customer-authentication

Before you proceed, we recommend that you use this checklist to track your PSD2 compliance progress.

The PSD2 mandate is for banks, not for merchants. This means that issuing banks that approve non-compliant transactions are violating the law in their home country.

Issuing banks implement protocols to comply with PSD2 SCA regulations. As a merchant you should ensure that your transactions are compliant to avoid the risk of issuing banks refusing your transactions, leading to lower authorisation rates.

In order to raise the conversion rates, we recommend merchants to collect information for all fields marked as Required, and pass it into the gateway. Usage of Optional fields will improve conversion rate even more, and will allow merchants to get more Issuer  approvals.

1. TRANSACTIONAL AND CHECKOUT PAGE INFORMATION

2. 3DS REQUESTOR AUTHENTICATION INFORMATION

3. 3DS REQUESTOR AUTHENTICATION INFORMATION

4. MERCHANT RISK INDICATOR

5. CARDHOLDER ACCOUNT INFORMATION