You don't have javascript enabled.

SCA: Five months to go

We’re five months away from the final regulatory deadline set by the Financial Conduct Authority for card issuers, payments firms and online retailers to implement Strong Customer Authentication (SCA). SCA is a regulatory requirement brought in to protect consumers and businesses from fraud, and to make online payments more secure. In practice, it means customers

  • Editorial Team
  • April 27, 2021
  • 5 minutes

We’re five months away from the final regulatory deadline set by the Financial Conduct Authority for card issuers, payments firms and online retailers to implement Strong Customer Authentication (SCA).

SCA is a regulatory requirement brought in to protect consumers and businesses from fraud, and to make online payments more secure. In practice, it means customers will no longer be able to check out using solely their credit or debit card details. They will also need to provide an additional form of identification such as a PIN code, a fingerprint or a passcode sent to their mobile phones to verify their identities. This is known as two-factor authentication and is enabled through what is also known as 3D Secure (3DS).

Upcoming deadline

The past year has been incredibly challenging for merchants and as a result, the implementation of SCA may have taken a backseat – but time is running out.

Whilst the regulatory deadline is September 14 SCA will be introduced by UK banks gradually from June 1 for UK online transactions. From this date, all transactions that are not SCA compliant could be declined, meaning revenue loss for those that haven’t prepared.

Businesses with customers in Europe have already had to ramp up their preparation from January 1 under the European Banking Authority deadlines. This European roll-out has revealed some common industry teething issues, resulting in many avoidable payment declines, which the UK market needs to learn from as it approaches its own deadline.

As early as June 1, UK issuers will start carrying out checks to ensure e-commerce transactions are SCA compliant, and any non-compliant transactions will be “soft-declined”. This means authorisation could be rejected and to be re-routed to 3D Secure (3DS) to complete the cardholder verification.

It’s therefore vital that UK merchants use this time to set up and live test their systems with the reassurance that before September 14 payments will only be soft-declined, giving them the opportunity to implement correct SCA requirements.

So, what should merchants be focusing on between now and the September deadline?

  1. Prepare for the practical deadline (June 1)

Whilst the regulatory deadline is September 14, UK Issuers are expected to introduce the active authentication more between now and Sept. In addition, non-compliant transactions are expected to be stopped from June 1. Therefore, e-merchants without 3D Secure capabilities must first switch it on – don’t leave it until September.

  1. Start using an upgraded version of 3DS (version two)

Firstly, merchants need to upgrade to version 2.1 of 3DS or above. This new version offers improvements in both the user experience and data. It’s designed for a better checkout experience through mobile devices, such as a phone app. It also allows the card issuer to collect more accurate data and prevent fraud more effectively over time.  

Many have had concerns that the approval rate for version two is to be lower than version one. However, the latest data showed consistently that both versions’ approvals have reached parity. In some regions, version two even yields better results. Put simply, the upgrade is worth the investment.

  1. Use wisely

By design, two-factor authentication adds friction into the customer journey.  Automatically routing all transactions through 3DS could therefore have a sub-optimal impact on conversion and may result in fewer purchases.

Our advice is to use 3DS selectively for those transactions which carry a higher risk. Some payment providers can help merchants distinguish between low and high-risk transactions to ensure that only the higher-risk transactions are put through SCA.

  1. Take advantage of SCA approved exemptions

Businesses need a clear strategy, taking advantage of SCA-approved “exemptions” to balance fraud protection against their customer experience, to minimise friction and disruption to customer journeys. As part of that, they need to be clear on which exemptions they ought to use, and work with their acquirer and gateway partners to deliver them. Often exemptions can be used for multiple merchant channels and use cases – optimisation is the key.

To help businesses prepare for the changes required by SCA, Barclaycard Payments launched Transact, a suite of tools designed to improve payment acceptance rates and reduce friction for shoppers. We’ve also partnered with leading AI-driven fraud prevention solution Kount to develop Transact’s state-of-the-art fraud protection module which will allow users to risk-assess transactions to determine whether they qualify for low-risk exemptions.

  1. Flag transactions correctly

SCA does not need to be applied to “out of scope” transactions. These include recurring payments, such as subscriptions. Unless the merchant flags that a transaction is out-of-scope (and why), the issuer may automatically assume that it’s in-scope, and request the SCA authentication, which could result in the transaction being unnecessarily declined.

Analysis showed between 10 percent – 20 percent of CNP (card-not-present) payments are eligible for Merchant Initiated Transactions (MIT) but less than half are indicated correctly and, therefore, are at risk of declines. For this reason, it’s imperative that merchants ensure they have properly flagged “out-of-scope” transactions.

  1. Test and resolve “teething” issues now

The European ramp up revealed that many declines were the result of simple logistical issues. One of the most urgent issues is that some merchants believed their SCA solutions are set up. However, their soft decline handling capability is not switched on, or 3DS is not activated.

Moreover, as 3DS version two introduces more data, a more thorough validation is performed by the Issuers. Some of the most common errors include wrong data format or missing key data points, which have led to both higher errors and challenge rates. All of these are preventable.

As the deadline fast approaches, compliance is key to ensure businesses do not experience significant loss of revenue opportunities as a result of SCA. Businesses can still prevent this from happening, but preparation must accelerate now. SCA should be a business-critical priority for eCommerce.


For more information, please click here: