3DSecure 2.0: EEA RoadMap for Strong Consumer Authentication
PSD2, SCA, Regulatory Update and Soft Enforcement Transition Period
The long awaited 14th September deadline for SCA has come and gone. To say it has been a huge disappointment would be an understatement when one thinks of the effort and sacrifices put in by the many individuals and organizations over the last three years to be ready.
However SCA is still happening, the incidence of very high fraud and higher decline rates for card not present remains unresolved. Regulators are also concerned with protecting consumers who are impacted by fraud, frustrated by declines and chargeback disputes and ultimately bear the costs.
At the same time, user convenience remains paramount - the challenge is for the industry to deliver seamless and effortless security.
3DS 2.0 meets all these objectives, the complexities and difficulties will be surmounted and the industry will deliver a payment framework for the next decade.
At the heart of this framework lies the ability to establish Identity; this immediately brings up the issue of data protection and ownership of one's identity - identity must be established in such a way that it cannot be hijacked or manipulated. This is why GDPR is mentioned in the same breath as SCA - a strong regulatory and legal framework protecting data must be in place to make SCA work.
At a technical level the challenge is to make data and establishment of identity secure by design. The protocols in place go beyond encryption; SCA works by a process of syndication which brings together Banks, Merchants and Cardholders. Risk Based Authentication uses knowledge of the merchants and card holders to quantify risk and reduce friction, while biometrics and smart phones provide person and device identification.
3DS 2.0 seeks to deliver these measurable milestones:
Eliminate static password and reduce friction.
Lift approval rate for CNP from 86% to over 95%, comparable to 97% approval for physical
Reduce fraud for CNP which is currently 10X than for physical. Target is < 10bps
Increase consumer confidence, uplift spending by 20%
SCA is not just a European prerogative, many countries around the world are well ahead with SCA. The benefits and goals are global, but PSD2 and the Roadmap in this article are specific to the EEA.
PSD2 Exemptions (In Scope)
A big part of the discussion around SCA is how exemptions apply and the thresholds for these exemptions. The Issuer can still require authentication and the merchant can still request authentication.
Exemptions apply in the context of minimum requirements for issuers to achieve compliance and avoid fines.
Transaction Risk Analysis (art 18)
SCA Exemption if
fraud < 0.13% up to EUR 100
fraud < 0.06% up to EUR 250
fraud < 0.01% up to EUR 500
It is important to remember that merchants cannot apply this exemption by themselves. Only issuers and acquirers can do so.
Secure Corporate payments (art 17)
This exemption may cover payments that are made with ?lodged? cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).
It is important to note that only the issuers will know the card is a corporate card and apply the exemption.
White List of trusted beneficiaries (art 13)
This allows a cardholder to whitelist a merchant. An Issuer will give the option to the cardholder either during authentication or via internet banking. The selection might be based on regular spending habits.
It is important to remember that whitelisting can only be done by issuers.
Recurring Transactions. The first transaction is authenticated (art 14)
The additional transactions with same amount and payee are not.
Low-value transactions (art 18)
SCA Exemption if
Amount <= EUR 30 (with counter limitation for Issuers)
No SCA is required up to ?30 threshold but is required after a cumulative total of ?150 or 5 cumulative transactions.
It is important to note that only the issuer will know when the counters are met, so this exemption can only be applied by the Issuer.
PSD2 Out of Scope
Mail Order (MOTO)
Anonymous prepaid cards
Merchant initiated payments
Soft Enforcement Transition Period
The SCA mandate has been delayed in favour of a transition period. During this month of October, the EBA is consulting the 27 EEA NCAs, 23 of which NCA are in favour of a 12 month period. Growing consensus is towards an 18 month duration.
The industry is encouraged to use this period effectively, with a number of goals:
Work with merchants and cardholders to build knowledge and preparedness
Start authentication with 2.1
Support authentication exemptions
Introduce Soft declines
Digital Insights (DTI)
Endeavour is now offering Digital Insight Transactions. This offers an easy path for the introduction of 3DS 2.0 and the benefits of frictionless authentication. Enquire for further information.