Table of Contents
- Introduction and background
- Why is SCA needed?
- Timetable for introduction
- Where SCA applies
- What does it mean for card-present transactions?
- What does SCA mean for ecommerce?
- What do I need to do to be ready for SCA?
Introduction and background
The EU Payments Services Directive (PSD2) brought in new laws in January 2018 to improve consumer rights and reduce many kinds of payment fraud. An important element of PSD2 is the introduction of additional authentication of transactions, known as Strong Customer Authentication (SCA). This is commonly known as 2-factor authentication.
It applies to all types of electronic payment transactions, although we’re mainly concerned with cards. For certain transactions using a card or smartphone, the cardholder will need to provide additional identification. This could be in the form of a PIN, an answer to a personal question, a one-time passcode sent to a device such as a mobile (which proves possession of that trusted device), or a biometric such as face recognition or fingerprint.
For online (ecommerce) card transactions, the means of achieving SCA will generally be through the use of EMV®3-D Secure Version 2 (3DS2) or other methods that provide a second version of authentication, such as Google Pay or Apple Pay. This supersedes 3-D Secure Version 1 that was introduced in 2001. Although 3DS2 is the preferred method for 3-D Secure in ecommerce, PSD2 does not mandate how SCA is performed, and since 3DS1 provides a second factor of authentication it is also compliant with PSD2 guidelines.
Why is SCA needed?
Payment fraud losses overall have continued to rise over the past decade, after the drop brought about by Chip and PIN in the early 2000s. This increase has mainly been in the area of ecommerce and card-not-present (CNP), although the convenience of EMV contactless transactions has also been seized upon by criminals as a fraud vector. The European Banking Authority intervened by placing SCA requirements on participants to reduce fraud, as one of the core components of PSD2.
Timetable for introduction
The original enforcement deadline for SCA in ecommerce was 14th September 2019.
The Financial Conduct Authority (FCA) in the UK agreed to delay the enforcement of SCA until 14th September 2021. However, to avoid a cliff-edge implementation by enforcement date, SCA will be introduced gradually (SCA Ramp Up) in the UK from 1st June 2021.
If you use a UK acquiring bank and only accept payments from UK cardholders, you need to implement SCA by 31st May 2021. You should be aware that card issuers will begin to randomly challenge transactions under the SCA requirements from 1st June 2021, and non-compliant transactions will be soft-declined.
If you use a UK acquirer and accept payments from cardholders within the European Economic Area (EEA), you must implement SCA by 31st December 2020.
However, some issuing banks have already started soft declining payments (in other words, not authorising the transactions without SCA) in preparation for this deadline, so we recommend you support SCA as soon as possible to avoid any potential issues.
Where SCA applies
Merchants in the UK and Europe
SCA is applicable to transactions in the EEA and the UK only, where both payer and payee are in the region. When either the acquirer or issuer are based outside the EEA, this is referred to as a ‘One Leg Out’ (OLO) transaction and this is out of scope of SCA.
Merchants in the US or elsewhere outside the UK and Europe
Where a US merchant uses a UK or EEA acquirer for a particular reason, SCA will be applied to transactions made by cardholders using UK or EEA issued cards and the merchant will need to support 3DS or a similar alternative solution. SCA will not apply to transactions made by cardholders with US issued cards in this circumstance though, as that would be classed as ‘One Leg Out’ (OLO) so out of scope of SCA.
What does it mean for card-present transactions?
For card present, SCA is going to bring in “soft declines”. This is where the issuer of the cardholder’s card sends back the instruction to prompt for PIN entry in the authorisation result. So you could tap your card, see it go online, and then have the device ask you to insert your card and enter your PIN. Also, we’re going to see fewer instances where devices without PIN pads are allowed to be deployed. Only unattended terminals for passenger transport fares, road tolls, and parking fees will remain exempt. In the UK, contactless charitable donations also benefit from an exemption from SCA. Devices without PIN pads that are already deployed in non-exempt usage will start to see higher levels of declines because they aren’t able to handle the request to prompt for strong cardholder authentication. From a cardholder’s perspective, the only option in this situation is to try another card.
What does SCA mean for ecommerce?
Online shoppers will see more challenges for authentication to prove they actually are the card owner. With 3DS1, issuers typically require a password to be entered to verify the transaction.
3DS2 is far more sophisticated and improves the checkout experience compared to 3DS1. It can use over 100 data elements (such as the customer’s shipping address, device fingerprint, and payment history) sent to the issuer to assess its risk level. This all takes place behind the scenes within the checkout process, meaning a smoother, more secure payment flow. Based on this data, the issuer will either authorise the payment (frictionless-flow) or “step up” to a two-factor authenticated transaction by challenging the cardholder to provide additional information to authenticate the transaction by, for example entering a one-time passcode sent to their mobile device.
Not all transactions will require additional authentication. PSD2 provides a number of exemptions to SCA, to minimise friction in customer payment journeys. Those relevant to NMI customers are:
- Low value exemption
- Specific MCC exemption
- Recurring payment exemption
- Whitelisting (or trusted beneficiary) exemption
- Mail order / Telephone order (MOTO)
Card transactions below €50 are considered low value and are generally exempt from SCA. However, if the customer initiates more than five consecutive low value payments or if the total payments value exceeds €100, SCA will be required.
Specific Merchant Category Code (MCC) exemption
Unattended transactions from MCCs 7523 (Parking) 4784 (Road and Bridge Tolls) and 4111 (Passenger Transportation Ticketing) are exempt from SCA. In the UK, Contactless charity donations from 8398 (Charities) are also exempt from SCA.
Recurring payment exemption – e.g. subscription (Merchant Initiated Transactions)
Series of payments of the same value to the same merchant (such as subscriptions and membership fees) are exempt after the initial set up. The initial setup of the recurring payment will still require authentication (and that the transaction is flagged to the issuer as a “Card-on-File” authorisation), but all subsequent transactions will be exempt.
Payments that are made periodically to the same payee, but where the value changes each time (e.g. a utility bill), will not benefit from the exemption.
Whitelisting (or trusted beneficiary)
Cardholders will have the option to ‘whitelist’ a merchant they trust. They can request to have the trusted merchant be added to their record with the issuers after the first authentication is completed. Subsequent transactions with the whitelisted merchants are likely to be exempt from future authentication. Issuers can still reject this request if the cardholder is thought to be a high fraud risk.
In a card-present scenario, the convenience of contactless at point-of-sale would remain for low value transactions (less than €50). Chip and PIN is still common practice in the EEA for values above €50.
Mail order / telephone order (MOTO) transactions
These are outside the scope of SCA.
What do I need to do to be ready for SCA?
From the announcement of PSD2 SCA in 2017, NMI have been actively involved with industry discussions and have been updating our systems and the Software Development Kits (SDKs) that we make available to merchants and distributors, as the programme has advanced.
For card-present terminals:
For systems using ChipDNA POS SDKs, version 2.19 or above needs to be installed (version 2.20 if terminals need to support online PIN in certain EU countries), as this will handle SCA for supported devices.
For merchants that have integrated ChipDNA Direct, we recommend using the latest versions for up to date SCA handling. For further information, see: EMV Card Present - Soft Decline SCA Flow
If your equipment uses payment devices that do not have a PIN pad to allow SCA, and you start to see increased numbers of soft declines there are a number of options available:
- Provide signage or instructions to cardholders to try another card in the event that their first is declined.
- Encourage the use of Apple Pay and Google pay since these payment methods do authenticate the payer through a secondary, usually biometric, means
- If your equipment is on an exempt MCC, such as parking or tolls, contact your acquirer and raise a support case, as transactions should be getting flagged to issuers as SCA exempt.
- Speak with your terminal provider or NMI account manager to discuss payment devices supporting PIN.
The NMI hosted payment page (formerly eKashu) is prepared for 3DS2 and no changes on the merchant’s implementation are required. Certifications of 3DS2 are currently in progress with all of our major processors, please contact your account manager for an update on the status of your processor of choice.
For merchants that have integrated ChipDNA Direct or the XML protocol and use the 3-D Secure Merchant Plug In (MPI), an update to this will be available soon.
We currently support version 2.1.0 of the 3-D Secure 2 protocol.
For questions or support concerning preparation for SCA please contact NMI Customer Support on firstname.lastname@example.org