At a recent Cybersource webinar on PSD2 SCA, we answered merchants' pressing questions around three core themes: avoiding SCA declines; optimizing SCA exemptions; and understanding SCA-related fraud trends.
This blog summarizes the answers; or you can view the full webinar including the Q&A session.
1. How can my business avoid SCA declines?
Now that the strong customer authentication (SCA) requirement of the EU's revised Payment Services Directive (PSD2) has been enforced across the EEA and U.K., merchants are keen to understand how to minimize soft declines by issuers.
Soft declines typically occur when the issuer determines the transaction did not meet the necessary requirements for SCA and the order should have been stepped up for authentication. In these cases, once authentication has taken place, the merchant can resubmit the transaction for authorization—as long as they're using the latest version of 3-D Secure, EMV® 3DS. If the merchant can't resubmit the transaction (perhaps because they're still using 3DS version 1), the order may be lost.
To prevent soft declines, merchants should ensure they use the correct challenge indicator (04), (that there is a local or regional mandate that means a challenge must be performed) when appropriate.
Soft declines can be a particular problem when Merchant Initiated Transactions (MITs), such as subscription payments, aren't correctly flagged, as they can't easily be re-presented to the customer for authentication. To prevent soft declines of MITs, they must be flagged with the 04 challenge indicator for the initial order plus for subsequent orders:
- The stored transaction ID from the initial set-up transaction (or a previous MIT)
- The indicator identifying the MIT type
2. How do I optimize SCA exemptions?
During the webinar we highlighted a number of SCA exemptions that can have the most impact on reducing friction for customers.
Transaction risk analysis (TRA) — which relates to low-risk transactions — is a great starting point. Merchants must gain agreement from their acquirers to use the TRA exemption, which can be:
- Requested during authentication or authorization
- Applied to transactions up to €500/£440 (but some acquirers’ & issuers' upper limit may be lower than this)
The acquirer or issuer decides if a transaction is low risk and doesn't need to be challenged. Obviously, a merchant wishing to use TRA must keep their fraud rates low, so it's worth working with a fraud management solution provider like Cybersource that has proven results.
The low-value exemption (transaction under €30/£25) is another one that merchants may wish to explore—and you don't need acquirer agreement to use it. Once a card accumulates five transactions or reaches a cumulative value of €100/£85, the issuer may overrule the low-value exemption and request an SCA challenge.
As a merchant you should analyze your own transactions to understand which exemptions would be most worthwhile for your business. For example, the low-value exemption could be useful if your orders are mostly for modest sums, such as delivery pizzas; while the TRA exemption could be more suitable if you're a luxury goods retailer with a community of loyal customers.
Trusted beneficiary lists may be part of the overall future of SCA exemptions. A customer whose bank or card issuer supports this feature may be able to add merchants to a personal trusted list (or white list) of beneficiaries.
3. How has fraud shifted since SCA came into force?
Naturally, merchants had questions about changes in fraud patterns since SCA came into force. The key trends we think merchants should be aware of include increased fraud on transaction types that are out of scope for SCA, namely:
- Transactions in the mail order/telephone order (MOTO) channel
- One-leg-out (OLO) transactions (where the issuer or acquirer is outside the EEA or U.K.)
- Transactions using anonymous pre-paid payment cards
In addition, there's been a rise in SIM swapping (also known as SIM-jacking) attacks, which allow fraudsters to intercept text messages containing the one-time passwords (OTPs) that are widely used in SCA.
For more about SCA-related fraud trends, see our blog "Outsmarting fraudsters as they adapt to PSD2 SCA."
You should also maintain a robust strategy for dealing with first-party (or friendly) fraud, as SCA only covers you for fraud-coded chargebacks when it comes to the liability shift. With other reason codes, such as non-receipt or miss-selling of goods, the liability shift doesn't apply. For helpful information on combating first-party fraud, see the Cybersource Global Fraud and Payments Report 2022.
By all accounts, the rollout of PSD2 SCA appears to have gone relatively smoothly, and a reduction in fraud rates has been observed.1 It's conceivable that similar legislation could be introduced in other regions in the future, with a view to delivering comparable outcomes for merchants and consumers.
To learn more about PSD2 SCA, and to download our guide to SCA exemptions, visit our PSD2 SCA resources page.
1 "The Long and Winding Road to SCA," The Payments Association, December 2021