Under PSD2, strong customer authentication (SCA) is required on all payer-initiated transactions when both the card issuer and acquirer are within the EEA.
If only one of the two parties is within the EEA, SCA is not required but there may be consequences. This type of transaction where either the payee or payer is in a country outside the EEA, such as the US, is called a ‘One-Leg’ or ‘one leg out’ transaction.
Under the PSD2 directive, these transactions fall within scope.
In spite of the fact that US consumers are outside of the EU/EEA, they can still be affected by SCA when buying from an EEA-based merchant. The directive does not force banks and payment service providers outside the EEA to use strong customer authentication (SCA), however, it does enforce this on the EEA merchant.
This means that when a consumer in the US initiates a checkout transaction on the website of an EEA merchant, that merchant’s payment service provider is going to request SCA authentication protocols from the consumer’s bank. If the bank is not compliant, the transaction may fail because the Issuer Bank does not support it.
The smart way to handle these situations is for the merchant to apply SCA exemption. With SCA exemption, the Issuer knows that this transaction is exempt from SCA for valid reasons, ensuring the bank is not in breach of compliance, and there is no liability shift towards the Issuer for not supporting SCA.
The Strong Customer Authentication mandate is relevant to all merchants doing business with the EEA. Any U.S. businesses with clients within the EU need to ensure that their touch-points are PSD2-compliant and SCA-ready. If you opt to not comply you run the risk of having very high rates of declined payments and failed transaction authentication.
If your online business gets a substantial amount of traffic from the EEA area, it is advisable to abide by the mandate and make your touchpoints SCA compliant.
After working out whether your business is likely to be affected by the PSD2 directive, ensuring SCA compliance should be your first priority. The upside is that approval rate from EEA issuers will go up significantly, by as much as 14%!
Friction should not be a concern. SCA under 3DS 2 is based on a risk based model which greatly reduces the times when a challenge is actually issued – the aim is to provide FRICTIONLESS AUTHENTICATION unless the transaction is suspicious or coming from a device or location that does not fit the cardholder. Also bear in mind that EEA consumers are not deterred by SCA but in fact expect to see it.
A message flag introduced in 3DS 2 is ‘soft decline’. Soft declines happen when the Issuer declines a transaction because it doesn’t support 3dsecure (in accordance with their SCA compliance). Merchants doing business with the EEA should ensure that they will receive this flag in Authorization to understand their declines rates.
If going for SCA is impossible for a merchant, the merchant should request an SCA Exemption, designating the transaction as a one-leg transaction. Without an exemption the Issuer has no choice but to decline. 3DSecure provides SCA exception as well as actual SCA. Doing nothing will result in declines; One-Leg exemptions are established via 3DSecure.
3DSecure Version 2 is a milestone development in payments and brings in a rich and complex array of options for stopping fraud and uplifting approvals. There are many situations where SCA cannot be performed, such as with Merchant Initiated Transactions (MIT) and these is also covered by 3DSecure.
There are many different roads you could take to ensure that you’re compliant with SCA. At Endeavour, we have been working with authentication for close to two decades and specialize in ensuring SCA is used to create a win-win situation where the implementation of the rules also result in an improved customer experience. This makes the process less like a compliance obstacle and more like an investment in the right direction for your business.