Strong Customer Authentication (SCA)€¦ · ‘step up’ & sends notification to registered...
Transcript of Strong Customer Authentication (SCA)€¦ · ‘step up’ & sends notification to registered...
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
Strong Customer Authentication (SCA)Be SCA aware and prepare!
Feb 2019
Martin KoderischEdgar, Dunn & Company – Strategic Payments ConsultingFirst Floor, 3 St Helen’s Place London, EC3A 6ABMobile: +44 7557 536 389Email: [email protected]: www.edgardunn.com/sca
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
75% of 800K European ecommerce merchants may be unaware of PSD2, SCA & EMV 3DS mandate
20% of large Issuers say will decline no-3DS transactions - after SCA effective date
25% of issuers planning a late migration to EMV 3DS
20% abandonment rate if transaction risk analysis exemption not applied
1
2
3
4
…get SCA aware and prepare!
…. timely opportunity to review your payment acceptance strategy!
Recent Mastercard and VISA surveys …..
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
75% of 800K European ecommerce merchants may be unaware of PSD2, SCA & EMV 3DS mandate1
February 19-21, 2019,
Berlin
February 19-21, 2019, Berlin
¡Must be carried out by the account holder’s bank / card issuer
¡Before a payment can be authorised
When and who carries out SCA?
¡ Two factor authentication – anti fraud security to positively identify card holder
¡At least 2 of 3 factors: 1) know i.e. OTP, 2) have i.e. registered device, 3) are i.e. biometric fingerprint
What is SCA procedure?
¡ Four important exemptions applicable to eCommerce transactions
¡ Trusted beneficiaries, Recurring transactions, Low-value and low risk transactions
What are the SCA exemptions?
¡Non EU (one-leg-out), MOTO, Direct Debit & Merchant Initiated Transactions (MIT) & anonymous prepaidWhat is out of scope of SCA?
¡ SCA rules take effect on 14th Sept 2019
¡National law and date will not change (i.e. not a soft mandate)
When do SCA rules apply?
What is Strong Customer Authentication (SCA)….?
¡ 3D Secure is compliant solution for card payments
¡Migration to EMV 3DS is updated 2nd version of the original protocol
Is there a compliant solution?
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
20% of large Issuers say will decline no-3DS transactions - after SCA effective date2
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
What is the SCA flow….?
Merchant Acquirer via gateway
IssuerAuthorisation
request
Issuer3DS request
Merchant must support & be able to make 3DS request
Send auth request to acquirer as usual
Acquirer passes onto issuer flagging
exemptionIssuer may ‘soft
decline’ & step up to SCA via 3DS
Merchant makes 3DS request
Issuer delivers SCA procedure via 3DS
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
EMV 3DS flow starts once customer
confirms payment
Bank decides to ‘step up’ & sends
notification to registered device (1st factor – ‘have’
i.e. phone)
Customer logs into to bank app with fingerprint (2nd
factor – ‘are’ i.e. biometric fingerprint)
Bank app verifies identify, completes SCA
requirements & returns customer to merchant site
User experience
on EMV 3DS
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
25% of Issuers plan late migration to EMV 3DS3
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
EMV 3DS timeline
Merchants must support both 3DS v1 and EMV 3DS (i.e. 3DSv2) in case issuer does not support EMV 3DS in time
April 2019¡ VISA/MasterCard EMV
3DS member mandate via liability shift
20202019
Aug 2018¡ EMV 3DS
launched
14th Sept 2019SCA Effective date
Today 206 Days to go !
2018
Ecosystem unlikely to be fully ready with EMV 3DS by Sept 14th
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
20% abandonment rate if transaction risk analysis exemption not applied4
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
More data for more informed decisioning
Merchants must collect and share data along with risk score with issuer
¡Transaction: Amount, currency, date
¡Account type: Debit / credit
¡Merchant: Merchant ID, Merchant Name, Merchant URL
¡Cardholder: Name, age, addresses, phone number, account number
¡Context: IP address, browser session data, device ID & fingerprint data
¡Agent: 3DS Requestor & Server details
¡Scheme: Directory Server ref. number,
EMV 3DS standard data
attributes
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
Understand impact of SCA, build internal awareness and strategic response
Enrolling & supporting 3DS is a must
Request via 3DS v2 but be ready to use 3DS v1 as a fall back i.e. develop flow to support both
Collect and share data to maximise chance of Low Risk Exemption under TRA
1
2
3
4
…. timely opportunity to review your payment acceptance strategy!
Get SCA aware and prepare!
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
¡ Switch to out of scope Payment methods such as Direct Debit; MOTO¡APMs with more predictable user experience¡Consider more ’click and collect’ if appropriate i.e. physical product merchants
Payment methods
¡ Play for Trusted Beneficiary Exemption i.e. whitelist of trusted merchants ¡Actively encourage/ prompt WL & design into check out flow i.e. during, immediately after, email ¡ Partner with issuers and whitelisting providers
Whitelisting
¡ Find an acquirer that can and will apply TRA exemption ¡ Form bilateral agreements with key issuers – directly or via merchant coalition
Acquirer and Issuer
agreements
¡Consider greater involvement by becoming an authorised PISP with SCA delegated by issuer PISP & delegated SCA
Payment acceptance strategy options
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
Commercial & Technology Strategy in Payments Advice and Support From Edgar, Dunn & Company
§ Awareness raising: C-level workshops and briefings, SCA health checks / actions checklists
§ Business strategy: SCA impact assessment, user experience and conversion rate; SCA exemption policy & strategy; scenario modelling
§ Payment partner management: PSP/acquirers; issuer landscape; 3DS solution provider; fraud monitoring solutions
§ Technology: 3DS payment flows / data capture forms / sizing & scoping / agile dev
§ Resourcing: SCA programme / project management
February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin
Martin KoderischEdgar, Dunn & Company – Strategic Payments ConsultingFirst Floor, 3 St Helen’s Place London, EC3A 6AB
Mobile: +44 7557 536 389
Email: [email protected]
Web: www.edgardunn.com/sca
Get in touch!