Strong Customer Authentication (SCA)
Read on to learn all you can about how adapt to the new SCA
and make your business results improve in the process!
How to improve your conversion rate in the new SCA environment?
Do you want to increase your conversion rate after applying the new SCA guidelines? These are a few recommendations that will help you go in the right direction:
- Ask cardholders for whitelisting (PayXpert payment page, merchant’s website pages or merchant’s payment page -provided the merchant is not already using PayXpert’s Payment Page)
- Request to be included in Visa and MasterCard whitelists
- Send more information in transaction fields to receive issuers exemption from-SCA (Issuer TRA):
For an optimized frictionless payment process, here is a non-exhaustive list of the fields that really might help the scoring (apart for compulsory fields):
- Billing address (town, country, number…)
- Delivery address (town, country, number)
- Merchant fraud score (if you have one)
- E-mail address
- Phone number
- Name of the payer
- useragent (IP, OS, version, resolution, language etc)
- IP address
FAQs About the SCA implementation
For more information and updates about the enforcement of PSD2, refer to:
Although we anticipate a phased and fragmented enforcement of SCA across Europe, SCA-impacted PayXpert users should prepare their payment flows to be SCA-ready as soon as possible. This will help prevent an increase in declines from European cards, or in case of an early enforcement by select banks. Read more about how enforcement varies by country.
Your integration is SCA-ready when all of your payments volume is processed using SCA-ready products.
- Your business must use an SCA-ready product, such as the new version of PayXpert Checkout, Hosted Payment Page, Billing, Payment API, or an SCA-ready partner solution.
- Test 3D Secure authentication thoroughly. Use our regulatory test cards to ensure that your integration can handle 3D Secure.
- For off-session payments, make sure you set up and authenticate the card when saving the payment method, and off-session payments are flagged as off-session via the API.
- If your business uses PayXpert Billing’s Subscriptions or Invoice APIs, ensure your integration can handle incomplete statuses.
If you notice in the Dashboard that your payments are not advancing past the incomplete status (requires_action in the API), consider:
- If this is an on-session payment, this may be expected. Your customer might be in the process of authenticating or they may have abandoned the checkout flow.
- Make sure you are handling required actions on the client side.
- If this is an off-session payment, this is not expected. You should be setting off_session to true when creating the payment.
For off-session payments, visit your Dashboard and filter by failed payments. Hovering over the status badge will highlight the decline reason (e.g., authentication required). On-session payments can be viewed by applying the incomplete payments filter and seeing if the payment is incomplete since authentication is required.
For off-session payments, make sure that you are authenticating the card when saving card details, either without a payment or during a payment. When saving cards without a payment, use the Setup Intents API and set usage to off_session. When saving cards during a payment, set setup_future_usage to off_session. Finally, note that exemptions are not guaranteed and off-session payments may still require authentication by the bank.
You can view a list of common SCA-ready PayXpert plugins here. If you don’t see the plugin your business uses here, visit the SCA Updates section of the Dashboard for more detailed guidance.
Payments that have been successfully authenticated using 3D Secure are covered by a liability shift. Should a 3D Secure payment be disputed as fraudulent by the cardholder, the liability shifts from you to the card issuer. If exemptions are applied, the payment is not authenticated through 3D Secure, and is therefore not covered by a liability shift.
When you set up your payment flow to properly save a card with the Payment Intents or Setup Intents API, PayXpert marks any subsequent off-session payment as a merchant-initiated transaction (MIT) to reduce the need to authenticate. Merchant-initiated transactions require an agreement (also known as a mandate) between you and your customer. Add terms to your website or application on how you plan to process payments that your customer can opt into.
At a minimum, ensure that your terms cover the following:
- The customer’s permission to you initiating a payment or a series of payments on their behalf
- The anticipated frequency of payments (i.e., one-time or recurring)
- How the payment amount will be determined
Add text in your checkout flow that references the terms of the payment, for example:
"I authorize [your business name] to send instructions to the financial institution that issued my card to take payments from my card account in accordance with the terms of my agreement with you."
There are a limited number of exemptions for SCA, with the most common expected to be:
- Low-risk transactions, where the fraud rate of the card provider and bank are both below expected levels proportionate to the transaction
- Low-value transactions (payments under €30)
- Fixed-rate subscriptions (online streaming services where price doesn’t change)
- Merchant-initiated transactions (delayed payments, add-on billing)
In these cases, additional authentication won’t be required. Yet the issue for retailers is that not all banks will have systems in place to approve all of these exemptions by 14 September. Even after that date, exemptions may be granted inconsistently between banks. This means that retailers must build payment flows that assume exemptions won’t be granted, requiring full authorisation by the customer.
Card information saved before 14 September is to be grandfathered in and considered authenticated. For retailers such as Amazon, the customer will be logged into the site when trying to use the card so, depending on how 3DS2 is implemented by their payment processor, re-authentication of a saved card can be done without requiring re-entry of card information.
It’s a little different for subscriptions where the card is being charged without the user present (online newspapers, streaming video services etc). There should be no need for re-authorisation at each billing period. If the price of the subscription changes, the bank will evaluate the risk of the transaction (cardholder history, retailer history, bank’s own fraud rate) and may choose to ask for additional authentication, or may allow the transaction to be exempted from SCA.
The major challenge for retailers is that responses from different banks to the same types of transactions are likely to be inconsistent. The critical task is building payment flows in a resilient way, to expect authentication challenges at all stages of transaction processing.
According to the PSD2 SCA rollout update, the Financial Conduct Authority (FCA) has extended the deadline for implementing Strong Customer Authentication (SCA) for e-commerce transactions to 14 March 2022. This further 6-month extension is to ensure minimal disruption to merchants and consumers and recognises ongoing challenges facing the industry to be ready by the previous 14 September 2021 deadline. The new 14 March 2022 deadline is the latest the FCA expects full SCA compliance for e-commerce transactions.
The SCA is seen as a solution that protects consumers while minimising the potential for disruption to customers and merchants, and the FCA still expects firms to continue to take robust action to reduce the risk of fraud. What firms with e-commerce customers should do:
To ensure readiness by 14 March 2022, PayXpert encourages and supports all merchants to engage with wider industry efforts to implement the SCA, while taking appropriate steps to manage the fraud risk.
Merchants that aren’t able to fully comply with anti-fraud requirements risk their customers’ online transactions being declined.
The FCA expects firms to take all necessary steps to support merchants, monitor merchants’ readiness and progress, and continue to explain the consequences of not being ready.
To learn more about the FCA communication: https://www.fca.org.uk/firms/strong-customer-authentication
Before you proceed, we recommend that you use this checklist to track your PSD2 compliance progress.
Aspects to consider | Action that you need to take |
---|---|
Your technical implementation | Make sure that you are ready to support both 3D Secure 1 and 3D Secure 2. See 3D Secure implementation options. |
Your business model | If you are using an API integration, check if your transactions require SCA and submit the correct parameters in your API request. |
Your strategy for managing SCA compliance | Decide on how you want to manage SCA compliance for your transactions. Your options are to:
|
The PSD2 mandate is for banks, not for merchants. This means that issuing banks that approve non-compliant transactions are violating the law in their home country.
Issuing banks implement protocols to comply with PSD2 SCA regulations. As a merchant you should ensure that your transactions are compliant to avoid the risk of issuing banks refusing your transactions, leading to lower authorisation rates.
In order to raise the conversion rates, we recommend merchants to collect information for all fields marked as Required, and pass it into the gateway. Usage of Optional fields will improve conversion rate even more, and will allow merchants to get more Issuer approvals.
- TRANSACTIONAL AND CHECKOUT PAGE INFORMATION
Data Element | emvco – required | emvco – optional |
3DS Challenge Indicator | X | |
3DS Method Completion Indicator | X | |
3DS Requestor Authentication Indicator | X | |
3DS Requestor ID | ||
3DS Requestor Name | X | |
3DS Requestor URL | X | |
3DS Server Operator ID | X | |
3DS Server Reference Number | X | |
3DS Server Transaction ID | X | |
3DS Server URL | X | |
3RI Indicator | X | |
Account Type | X | |
Acquirer BIN | X | |
Acquirer Merchant ID | X | |
Address Match Indicator | X | |
Broadcast Information | X | |
Browser Accept Headers | X | |
Browser IP Address | X | |
Browser Java Enabled | X | |
Rrowser Language | X | |
Browser Screen Color Depth | X | |
Browser Screen Height | X | |
Browser Screen Width | X | |
Browser Time Zone | X | |
Browser User-Agent | X | |
Card/Token Expiry Date | X | |
Cardholder Account Identifier | X | |
Cardholder Account Number | X | |
Cardholder Address Country | X | |
Cardholder Billing Address City | X | |
Cardholder Billing Address Country | X | |
Cardholder Billing Address Line 1 | X | |
Cardholder Billing Address Line 2 | X | |
Cardholder Billing Address Line 3 | X | |
Cardholder Billing Address Postcal Code | X | |
Cardholder Billing Address State | X | |
Cardholder Email Address | X | |
Cardholder Home Phone Number | X | |
Cardholder Mobile Phone Number | X | |
Cardholder Name | X | |
Cardholder Shipping Address City | X | |
Cardholder Shipping Address Line 1 | X | |
Cardholder Shipping Address Line 2 | X | |
Cardholder Shipping Address Line 3 | X | |
Cardholder Shipping Address Postal Code | X | |
Cardholder Shipping Address State | X | |
Cardholder Work Phone Number | X | |
Device Channel | X | |
EMV Payment Token Indicator | X | |
Installment Payment Data | ||
Merchant Category Code | X | |
Merchant Country Code | X | |
Merchant Name | X | |
Message Category | X | |
Message Extension | X | |
Message Type | X | |
Message Version Number | X | |
Notification URL | X | |
Purchase Amount | X | |
Purchase Currency | X | |
Purchase Currency Exponent | X | |
Purchase Date & Time | X | |
Transaction Type | X |
- 3DS REQUESTOR AUTHENTICATION INFORMATION
Data Element | emvco – required | emvco – optional |
3DS Requestor Authentication Method | X | |
3DS Requestor Authentication Timestamp | X |
- 3DS REQUESTOR AUTHENTICATION INFORMATION
Data Element | emvco – required | emvco – optional |
3DS Requestor Prior Transaction Reference | X | |
3DS Requestor Prior Transaction Authentication Method | X | |
3DS Requestor Prior Transaction Authentication Timestamp | X | |
3DS Requestor Prior Transaction Authentication Data | X |
- MERCHANT RISK INDICATOR
Data Element | emvco – required | emvco – optional |
Shipping Indicator | X | |
Delivery Timeframe | X | |
Delivery Email Address | X | |
Reorder Items Indicator | X | |
Pre-Order Purchase Indicator | X | |
Pre-Order Date | X | |
Gift Card Amount | X | |
Gift Card Currency | X | |
Gift Card Count | X |
- CARDHOLDER ACCOUNT INFORMATION
Data Element | emvco – required | emvco – optional |
Cardholder Account Age Indicator | X | |
Cardholder Account Date | X | |
Cardholder Account Change Indicator | X | |
Cardholder Account Change | X | |
Cardholder Account Password Change Indicator | X | |
Cardholder Account Password Change | X | |
Shipping Address Usage Indicator | X | |
Number of Transactions Day | X | |
Number of Transactions Year | X | |
Number of Provisioning Attempts Day | X | |
Cardholder Account Purchase Count | X | |
Suspicious Account Activity | X | |
Shipping Name Indicator | X | |
Payment Account Age Indicator | X | |
Payment Account Age | X | |
Cardholder Account Identifier | X | |
Authentication Method | X | |
Authentication Timestamp | X | |
Cardholder Account Date | X | |
Shipping Address Usage | X |
Transactions outside the scope of SCA:
- Merchant-Initiated Transactions (MIT) and Direct Debits
- Telephone orders or in writing via fax or order form (MOTO)
- Cross-border transactions where either the issuer or the acquirer is not located within the European Economic Area (EEA)
- Purchases using anonymous payment methods, such as anonymous prepaid cards
WE ARE HERE TO HELP
LET’S TALK!
Our Account managers will support you in the process of integrating Digital Payments Solutions to allow the best experience to your future Customers.