Strong Customer Authentication (SCA)€¦ · ‘step up’ & sends notification to registered...

February 19-21, 2019, BerlinFebruary 19-21, 2019, Berlin

Strong Customer Authentication (SCA)Be SCA aware and prepare!

Feb 2019

Martin KoderischEdgar, Dunn & Company – Strategic Payments ConsultingFirst Floor, 3 St Helen’s Place London, EC3A 6ABMobile: +44 7557 536 389Email: [email protected]: www.edgardunn.com/sca

mailto:[email protected]

http://www.edgardunn.com/


75% of 800K European ecommerce merchants may be unaware of PSD2, SCA & EMV 3DS mandate

20% of large Issuers say will decline no-3DS transactions - after SCA effective date

25% of issuers planning a late migration to EMV 3DS

20% abandonment rate if transaction risk analysis exemption not applied

1

2

3

4

…get SCA aware and prepare!

…. timely opportunity to review your payment acceptance strategy!

Recent Mastercard and VISA surveys …..


75% of 800K European ecommerce merchants may be unaware of PSD2, SCA & EMV 3DS mandate1

February 19-21, 2019,

Berlin

February 19-21, 2019, Berlin

¡Must be carried out by the account holder’s bank / card issuer

¡Before a payment can be authorised

When and who carries out SCA?

¡ Two factor authentication – anti fraud security to positively identify card holder

¡At least 2 of 3 factors: 1) know i.e. OTP, 2) have i.e. registered device, 3) are i.e. biometric fingerprint

What is SCA procedure?

¡ Four important exemptions applicable to eCommerce transactions

¡ Trusted beneficiaries, Recurring transactions, Low-value and low risk transactions

What are the SCA exemptions?

¡Non EU (one-leg-out), MOTO, Direct Debit & Merchant Initiated Transactions (MIT) & anonymous prepaidWhat is out of scope of SCA?

¡ SCA rules take effect on 14th Sept 2019

¡National law and date will not change (i.e. not a soft mandate)

When do SCA rules apply?

What is Strong Customer Authentication (SCA)….?

¡ 3D Secure is compliant solution for card payments

¡Migration to EMV 3DS is updated 2nd version of the original protocol

Is there a compliant solution?


20% of large Issuers say will decline no-3DS transactions - after SCA effective date2


What is the SCA flow….?

Merchant Acquirer via gateway

IssuerAuthorisation

request

Issuer3DS request

Merchant must support & be able to make 3DS request

Send auth request to acquirer as usual

Acquirer passes onto issuer flagging

exemptionIssuer may ‘soft

decline’ & step up to SCA via 3DS

Merchant makes 3DS request

Issuer delivers SCA procedure via 3DS


EMV 3DS flow starts once customer

confirms payment

Bank decides to ‘step up’ & sends

notification to registered device (1st factor – ‘have’

i.e. phone)

Customer logs into to bank app with fingerprint (2nd

factor – ‘are’ i.e. biometric fingerprint)

Bank app verifies identify, completes SCA

requirements & returns customer to merchant site

User experience

on EMV 3DS


25% of Issuers plan late migration to EMV 3DS3


EMV 3DS timeline

Merchants must support both 3DS v1 and EMV 3DS (i.e. 3DSv2) in case issuer does not support EMV 3DS in time

April 2019¡ VISA/MasterCard EMV

3DS member mandate via liability shift

20202019

Aug 2018¡ EMV 3DS

launched

14th Sept 2019SCA Effective date

Today 206 Days to go !

2018

Ecosystem unlikely to be fully ready with EMV 3DS by Sept 14th


20% abandonment rate if transaction risk analysis exemption not applied4


More data for more informed decisioning

Merchants must collect and share data along with risk score with issuer

¡Transaction: Amount, currency, date

¡Account type: Debit / credit

¡Merchant: Merchant ID, Merchant Name, Merchant URL

¡Cardholder: Name, age, addresses, phone number, account number

¡Context: IP address, browser session data, device ID & fingerprint data

¡Agent: 3DS Requestor & Server details

¡Scheme: Directory Server ref. number,

EMV 3DS standard data

attributes


Understand impact of SCA, build internal awareness and strategic response

Enrolling & supporting 3DS is a must

Request via 3DS v2 but be ready to use 3DS v1 as a fall back i.e. develop flow to support both

Collect and share data to maximise chance of Low Risk Exemption under TRA

1

2

3

4

…. timely opportunity to review your payment acceptance strategy!

Get SCA aware and prepare!


¡ Switch to out of scope Payment methods such as Direct Debit; MOTO¡APMs with more predictable user experience¡Consider more ’click and collect’ if appropriate i.e. physical product merchants

Payment methods

¡ Play for Trusted Beneficiary Exemption i.e. whitelist of trusted merchants ¡Actively encourage/ prompt WL & design into check out flow i.e. during, immediately after, email ¡ Partner with issuers and whitelisting providers

Whitelisting

¡ Find an acquirer that can and will apply TRA exemption ¡ Form bilateral agreements with key issuers – directly or via merchant coalition

Acquirer and Issuer

agreements

¡Consider greater involvement by becoming an authorised PISP with SCA delegated by issuer PISP & delegated SCA

Payment acceptance strategy options


Commercial & Technology Strategy in Payments Advice and Support From Edgar, Dunn & Company

§ Awareness raising: C-level workshops and briefings, SCA health checks / actions checklists

§ Business strategy: SCA impact assessment, user experience and conversion rate; SCA exemption policy & strategy; scenario modelling

§ Payment partner management: PSP/acquirers; issuer landscape; 3DS solution provider; fraud monitoring solutions

§ Technology: 3DS payment flows / data capture forms / sizing & scoping / agile dev

§ Resourcing: SCA programme / project management


Martin KoderischEdgar, Dunn & Company – Strategic Payments ConsultingFirst Floor, 3 St Helen’s Place London, EC3A 6AB

Mobile: +44 7557 536 389

Email: [email protected]

Web: www.edgardunn.com/sca

Get in touch!

mailto:[email protected]

http://www.edgardunn.com/

Strong Customer Authentication (SCA)€¦ · ‘step up’ & sends notification to registered...

Documents

Transcript of Strong Customer Authentication (SCA)€¦ · ‘step up’ & sends notification to registered...