With PSD2 now live in most European countries, being 5 months past the December 31, 2020 deadline, the UK is next, as the deadline for March 2022 is approaching. In order for the cardholder and merchant to properly adopt additional authentication without abandoning the transaction, the main focus is eliminating as much friction as possible. Testing data¹ from merchants such as Amazon, Google and Microsoft has shown that although Strong Customer Authentication has been enabled for most of the UK ecosystem, it is still grappling with several issues. Examples of this are relying on Risk Based Authentication for lower challenge rates, issuer readiness on latest protocols, issuer latency and lastly confusion on what exemptions to properly utilize.
Issuer readiness and stability
In order for a transaction to be compliant and successful the Issuer and Acquirer domain both need to enable SCA and apply the 3DS2 protocol. Due to the mandated adoption of 3DS 2, UK issuers have seen an increase in 3DS 2 transactions into their platform. This is adding challenges when it comes to response times, scalability and stability. The data on Netcetera’s platform is in line with the schemes reporting an increasing number of 3DS2 transactions and this will only increase once the UK goes fully live. This is likely to put additional strain on Access Control Server (ACS) providers and lead to potential outages.
A reason for these outages can be attributed to some ACSs lacking major overhaul and scalability since 3DS was introduced in 2000. Changes made in the last 21 years to the protocol have been added onto what are now archaic systems lacking flexibility. As a result of these outages large merchants have reported looking to the schemes stand-in service as alternatives to ensure transactions are not affected. This however comes at additional cost and is not widely implemented, therefor this can merely be a temporary workaround that lacks sustainability.
Navigating the exemption jungle
Up until now merchants have benefitted from the UK ecosystem using sophisticated Risk Based Authentication which allowed them to keep challenge rates to cardholders low. With the pending deadline this is not an option anymore as bypassing SCA will lead to higher declines on transactions from issuers.
Now that the increasing volumes have brought the first issues to light, it would benefit merchants and acquirers to look at SCA exemptions based on their portfolio of cardholders and customers to eliminate friction to the cardholder where it is not needed.
SCA exemptions are defined based on the level of risk, amount, recurrence and the payment channel used for the execution of the payment. These exemptions allow PSPs to achieve the right balance between convenience of the payment experience and fraud reduction.
Data from Netcetera on SCA exemptions so far show that Transaction Risk Analysis and Low Value Payments are the most adopted² (87% for TRA and 11% on Low Value according to Netcetera figures) and it will be interesting to see the impact of further exemptions introduced in version 3DS 2.2 such as recurring transactions, merchant whitelisting and delegated authentication.
The road ahead
With Brexit in the rear-view mirror and the world looking to get back to normal there is an added incentive to ensure issuers, acquirers and merchants are ready come September. Sectors that rely heavily on ecommerce such as travel and hospitality will also look to benefit from 3DS 2.x. The key differentiator in readiness is defined as having the motor running or to have it finely tuned for maximum performance. A prime example of this would be exemptions being enabled on the issuer and acquirer side to see proper results in successful transactions.
Now more than ever, the results in testing have exposed a need for 3DS solutions to be flexible and modular in order to fit into a hierarchy of existing fraud strategy and authentication providers. Initially this would be an investment but is more sustainable than dealing with fraud, scheme fines or an abnormal rate of declines.
1 D. Jordaan, SCA Performance - April 2021, Available at: https://www.linkedin.com/pulse/sca-performance-april-2021-dean-jordaan?trk=public_profile_article_view
2 Netcetera (2021), Webinar: PSD2 SCA being effective - First results,observations and recommendations, Available at: https://pnt.netcetera.com/20210324_PSD2_results