Commonly asked questions about Secure Customer Authentication
Charles Damen, SVP Product Strategy, Cross Border Payments
October 20, 2020
Should we be ready for Secure Customer Authentication by Dec 31 or by the end of October?
Ultimately, it’s important to make sure you are ready by December 31st, but it’s better to be ready by the end of the October to avoid network freezes and the peak trading period.
Is the deadline for 3ds2.0 really 31st of Dec - is there any wriggle room?
SCA will be enforced in the EEA from 1 Jan 2021. 3DS1 is SCA compliant and can still be used, but bear in mind that from 1 Jan 2021, Mastercard will be doubling the authentication fees and Visa will be removing the liability shift from October 2021 onwards. It really is important to put 3DS2 on your roadmap this year or beginning of next.
Do you expect issuers to begin using soft declines in Sept 2020 in the UK, or only in the rest of EEA?
No - only in the rest of EEA. Issuers in the UK will start using soft declines from June 2021 onwards.
For OTAs (Online Travel Agents) can the OTA 3DS2 authenticate the total basket value on behalf of all merchants (e.g. Car Hire company, hotel, airline), then provide this authentication to all merchants of record in the chain?
We recommend that the OTA authenticates of the full value of the basket while the customer is still in session. In the future there will be a process called 3RI, where the OTA can then generate multiple authentication tokens - one for each sub-merchant - to attach to their subsequent authorisations. However, the exact 3RI specifications are still being worked on by EMVCO and the schemes. In the meantime, the schemes are due to announce workarounds soon, whereby the subsequent merchants of record flag their transactions as MOTO or MIT, to avoid them being declined as they didn't (and couldn't) perform their own authentication.
For Exemption Engine we were advised that issuers are not ready to support exemptions and therefore merchants are not able to utilise the Exemption Engine at this time. Is this still the case as of today?
All European issuers have been mandated to support exemptions by the schemes. Current self-reporting on exemption readiness by issuers is looking good - and is expected to be ~80% by December 31st, 2020. However, there may still be a small number of issuers who are not exemption-ready and will request full authentication. The Exemption Engine is being fed by real-time issuer insights for just this reason - it will pass through an exemption request where it can and route a payment to 3DS where it knows exemptions are not available. One thing to note - authentication, which require 3DS2.2, is much more advanced and many issuers will not be on until early 2021.
We’re a UK merchant that also sells online in Europe, we use Worldpay and another UK based acquirer. If both acquirers are outside of the EEA, does that mean we’re exempt as long as we pass the ‘one leg out’ exemption code, or are there other factors that need to be considered; such as the acquirer determining that SCA authentication needs to take place anyway?
Would a non-UK EEA transaction that is acquired in the UK need to be ready by 31st December 2020?
In this scenario, between 31 December 2020 (EEA enforcement) and 14 September 2021 (UK enforcement), it may be that the UK is considered 'one leg out' and therefore SCA will not be required if you are only using UK-based acquiring BINs. However, this specific point is still subject to ongoing Brexit negotiations, and therefore does not have a clear legal answer. Our advice is to take a risk averse approach and be ready to apply SCA after 31 December whenever you see an EEA issued card. If this is not ultimately required, we will let you know, and you can stand down the process if you wish for a few more months.
Can you provide more background on your recommendation to have merchants implement their SCA solution as early as October 31? Do you believe issuers will enforce SCA prior to December 31?
This is twofold. The October recommendation is simply based on the knowledge that many companies struggle to roll out technical changes in November and December due to code freezes, so the best practice is to be ready early. The second factor will be the increased use of soft declines in certain EEA markets (France, Belgium, Netherlands) from September 2020. This is expected to lead to a steady increase in SCA in those markets earlier than the December deadline, particularly on high risk / high ATV transactions.
How long can a merchant continue to use the static network transaction ID to grandfather MIT transactions for both Visa and MC?
The initial guidance from the schemes was 12 months, but we are seeking a potential extension.
Are you saying that issuers will turn on the SCA mandate on transaction early/Oct 31 because they will not deploy changes during the holiday window, so they need to deploy it early?
The SCA mandate starts from 31 December 2020 onwards - some countries like Netherlands, France, and Belgium will activate soft-declines before that.
Can I send exemption requests via an external 3DS vendor or must I use Worldpay's Flex to do so?
Currently we only offer exemptions on Worldpay traffic, but will be adding an 'exemption advice' feature in 2021, which you could use to instruct a 3rd party.
Is 3DS Flex available on Worldpay hosted pages or just direct integration?
3DS Flex is available both on Worldpay hosted pages and direct integration.
Can open banking be used for B2B payments to replace BACs?
Yes, Open Banking is a bank transfer operating in a similar way to BACs, with faster clearance.
Can you provide more information on soft decline loops, what these are and what a customer would see during the transaction?
A consumer would not see a soft decline themselves. The merchant would receive a specific soft decline response from the issuer (via their PSP) - it is response code 65. If the merchant knows how to interpret these responses in real time and can trigger 3DS/3DS2, all the consumer would see would be the 3DS window appearing, potentially followed by a challenge prompt.
What is the difference between PSD1?
PSD2 introduces many new features over and above PSD1 - with SCA, Open Banking, marketplace regulations, and a ban on surcharging being the most critical.
I'm somewhat confused by PSD1 vs PSD2 as it relates to one-leg-out transactions. I'm understanding that PSD2 adjusts the one-leg-out regulations but I'm not clear about how that now applies to North American companies.
For 'one leg out', the critical components are where the acquirer is located and where the issuer is located. Where the merchant is located (e.g. in North America) is not taken into consideration. If both the acquiring BIN and the issuer BIN are in Europe, then SCA is definitely required. If one of those is outside Europe, then SCA is not required. E.g. If you have an American cardholder buying something on a French website that is acquired in France, then it is one leg out.
As a follow up question to the one-leg-out question, much of the language relates to the processing provider and where they are based. With Worldpay operating in the UK, does this have implications for North American merchants charging in USD?
Not necessarily, as Worldpay has acquiring licenses and acquiring BINs in many countries around the world. We acquire most of our US businesses locally in the US, so this should not pull your payments into scope of SCA. The only caveat to this is if you acquire your European customers locally in Europe, using one of our European acquiring BINs (some customers do this to improve performance and cut cost). In this case the payment would be in scope of SCA - so it all depends on your setup.
Where/how as merchants can we know which version of 3DS are issuers supporting?
Unfortunately, there isn't an easy way of merchants finding this out up-front, but with Worldpay you don't need to. We advise all our 3DS Flex merchants to send all 3DS requests through to us as 3DS2. We will then know in real time if the issuer supports 3DS2 or not. If they do not, we can downgrade the transaction for you in real time and send it as a 3DS1.
It seems that Italy is far from being ready for enforcing SCA, do you believe they might decide locally to postpone the deadline?
Unfortunately not - the European Commission have been very clear that they do not support any further SCA delays in the EEA.
Where should the merchant flag a transaction if it is out-of-scope?
This depends on why it is out of scope. If it' a recurring transaction, an MIT flag needs to be applied. If it's MOTO, it needs a MOTO flag, and if it's out of scope geographically then no flag is needed. Your implementation manager should be able to help analyse which flags are needed.
V2 frictionless flow- how long it takes to complete the payment (from the click to a success message)?
Frictionless flow is just a couple of seconds, as we have on 3DS1 in the past. We are waiting for more volume to go through the protocol before we can properly benchmark.
Could you please discuss the differences between 3DSv2.0 / 2.2 /2.3 against Worldpay's 3DS Flex solution?
We are already live with many 3DS2.2 features. The main upgrades on this version are exemptions in authentication (which will also unlock whitelisting when issuers are ready with it in 2021). It also enabled issuers to offer embedded biometric challenges in the 3DS2 window, and other innovations such as delegated authentication. The main focus of 3DS2.3 is authentication on unusual devices, such as Amazon Alexa, Smart TVs, and video game consoles.
This is an EEA-oriented presentation. Will you deliver a similar one for North America?
The regulation applies to the EEA, if you transact in the EEA with EEA cardholders acquired in the EEA then SCA will apply to you.
For North American merchants, some of us may be interested in the liability shift virtues connected to 3DSv2 rather than the PSD2/SCA compliance details. Can you talk about liability shift benefits in North America?
The core benefit is protection for you as a merchant. If you complete 3DS/3DS2, and a chargeback is raised, the issuer is liable for that rather than you. If no 3DS is completed, then you would be liable.
We are transitioning to the WP platform in Europe soon; however, we are being told by our current providers that we're already PSD2 compliant while sending very limited data on the transaction. Will this change after 12/31?
It may be the case that you are currently PSD2 compliant by using 3DS1, and you can continue to do this after December 31. However, 3DS1 is very old technology and we are encouraging merchants to upgrade to 3DS2 as quickly as possible. The main drivers are: 1) An improved UX, leading to lower cart abandonment, 2) Lower scheme fees, as Mastercard are doubling their 3DS1 scheme fee in January 2021 (this doubling will not apply to 3DS2), and 3) Visa are removing the liability protection from 3DS1 from October 2021.
Are there any updates you can share on latency improvements for EMV 3DS?
We are currently working with the schemes to get this data, as the volumes are not yet high enough and issuer rollouts are still too early to fully benchmark. As soon as we have data that we can share, we will.
For other questions about 3DS2 and Secure Customer Authentication, please reach out to our payments team who will be happy to assist you.