Transcription
PSD2 andStrong CustomerAuthentication(SCA)An acquirer guide
With the second Payment Services Directive (PSD2) firmly established in Europesince January 2018, payment markets around the world are readying themselvesfor the imposition of Regulatory Technical Standards (RTS) for strong customerauthentication (SCA). Although at the time of writing, deadlines are underreview and are set to be extended perhaps as far out as September 2021 (as hasalready happened in the U.K.). This does not mean that the pressure has beenlifted. Acquirers should use the new timelines to ensure they have implementedbest-practice, value-added solutions to comply ahead of the deadline. Followingpublication of the EBA’s Opinion, acquirers now have a timeframe in which toimplement SCA exemptions in a way that differentiates their business from thecompetition.What does this mean for acquirers—and what do acquirers need to do to betterserve their merchant base and grow the business?1BackgroundPSD2 was established to drive payments innovation and data security byreducing competitive barriers, mandating new security processes andencouraging standardized technology to protect the confidentiality and integrityof payment service users’ personalized security credentials.Although consumers will see tremendous benefit around security and dataprotection, issuers, acquirers and merchants will face new challenges. Oneof the requirements within PSD2 is SCA—to ensure that fraud is reduced andmerchants and issuers in the European Economic Area (EEA) are validating theconsumer for all electronic payments.The purpose of this paper is to outline the issues and requirements for acquirers—and the merchants they serve.2What is SCA?The security measures outlined in the RTS stem from the key objective of PSD2 toensure consumer protection. The RTS introduces requirements that issuers andacquirers (referred to in the regulations as “payment service providers”) mustobserve when they process payments or provide payment-related services.In general terms, card issuers will be obliged to perform an SCA check for everyelectronic payments transaction above 30 that does not meet any one of a setof specified exemption criteria. The SCA check requires authentication using twoof the following factors:2
While card issuers can try to reduce the number of cases in which SCA isrequired, there is no way to prevent it fully. And, importantly, merchants cannotopt out of or choose to override the SCA mechanism for card payments becausetheir acquirer no longer has a free choice on whether or not to perform SCA. Incases where the issuer is required to perform SCA, the merchant must alsosupport it, or the issuer may choose to soft decline the authorization request, ordefer the liability to the merchant or acquirer.It’s crucial for organizations to realize the benefits of SCA by rapidlyimplementing differentiated services that bring added value to acquirers andmerchants.3When is an SCA CheckRequired and What Are theExemptions?SCA exemptions are an important part of the balancing act between protectingtransactions and providing seamless customer experience. For many financialservices firms that provide merchant acquiring services, this could be a keydifferentiator. For organizations that do not successfully implement SCAexemptions, it could negatively impact the business of their merchants and riskmarket share loss in the process.SCA aims to standardize practices across the EEA and reduce fraud, especiallyin the case of online transactions. It requires two independent sources ofvalidation known as two-factor authentication (2FA)—this increased securityobviously benefits banks and merchants, but not if implemented effectively,risks negatively impacting customer experience, with repercussions includingcart abandonment. To mitigate this risk and at the same time improve customerexperience, RTS does provide a number of exemptions to SCA, aimed atminimizing friction. Some of these include: Low-value payments exemption (below 30) Recurring payments exemption, such as subscriptions Trusted beneficiaries, including identified trusted merchants Secured corporate payments Transactions that real-time transaction risk analysis (TRA) solutions haveidentified to be low-riskLow-value paymentsSCA checks are mandated for every electronic payment over 30—and forthose under 30 where either there have been five previous transactions on thesame card without challenge or the card has accumulated transactions totalingmore than 100 without an SCA check being applied.3
Recurring paymentsTransactions out of scope for SCA include recurring transactions (after the firsttransaction has been authenticated), MOTO, one-leg-out transactions and directdebits.Secured corporate paymentsWhere a corporate card is “lodged” with a contracted third party, for example,the details of corporate cards used for managing employee travel expenses areoften held by the approved travel agent and can be charged with fees after anemployee has reserved flights or hotels. This particular exemption is expected tohave a relatively narrow scope of applicability for the majority of acquirers.Trusted beneficiariesTransactions that are in scope may be rendered exempt from SCA if thecardholder has applied to have the merchant with which they are transactingwhitelisted with their bank (card issuer) and the bank has agreed. Under PSD2,individual cardholders may ask their issuers to “whitelist” merchants they useregularly—but the decision will ultimately be at the bank’s discretion—and willdepend on the level of fraud exposure the bank has experienced with the chosenmerchant and individual TRA.Transaction risk analysisIssuers and acquirers may also exempt a transaction under 500 if they havedemonstrably low levels of fraud. This requires that TRA is in place and fraud iskept below set exemption threshold values (ETV). These values are: 0.13% for transactions up to 100 0.06% for transactions up to 250 0.01% for transactions up to 500If an acquirer cannot demonstrate a fraud rate below these thresholds, then alltransactions processed via that acquirer will be subject to SCA. This would bedetrimental to the acquirer’s market share, as undoubtedly merchants wouldlook to acquirers that can provide exemptions for a more seamless customerexperience. Therefore, a strong SCA strategy is one that encompasses robustTRA and exemptions.The issuer and acquirer relationshipIssuers and acquirers should seek to apply the TRA exemption to all qualifyingtransactions to reduce friction and lessen the frequency of SCA that theircardholders will encounter during remote purchases. It’s about creating apositive customer experience with their merchant, payments instrument andprovider of choice, to remain “front of wallet” and encourage consumer spending.In some cases, issuers may instigate a soft decline and request SCA even ifthe acquirer has implemented an exemption—if they are suspicious about thetransaction.4
Only issuers and acquirers can exempt a transaction from SCA. There areexemption flags in 3DS for a merchant to request an exemption. This means theliability sits with the banks.For a full list of exemptions, see the final report of the draft RTS.4Who Is Liable for Fraud?Liability for any fraud depends on how the transaction was authenticated.In a standard transaction flow, as today, where the merchant is 3DS-enabled,the issuer retains liability for any fraud. If the merchant is not 3DS-enabled, theacquirer is liable for the fraud but will likely pass this to the merchant, just asmany merchant acquiring relationships function currently.As we move into an SCA exemptions scenario, it becomes more complex. Wherethe issuer and merchant have “both legs in” the EU and the merchant initiates3DS, the acquirer may choose to apply an exemption. But if the issuer choosesto overrule the acquirer and conduct SCA, then the issuer assumes liability.However, if the issuer accepts the acquirer’s exemption and does not step-upthe authentication, then the acquirer is liable for any fraud; it’s likely the acquirerwould pass that loss on to the merchant as is the current model.Merchants will need to manage fraud (either directly or through their merchantservices partner), irrespective of authentication in order to manage push back bythe issuer.It’s critical that acquirers understand the liability implications, and conductrobust TRA under Article 18, in order to be confident of their application of SCAexemptions. If an acquirer or PSP is not compliant by the deadline, the potentialconsequences include: loss of license, fines or designation as a non-compliantparty, and a halt is placed on their business. Acquirers should use the newdeadline extensions as an opportunity to implement SCA exemptions alongsideTRA capabilities in order to continue to differentiate their merchant services onceSCA mandates come into effect.Use CaseMerchantLiabilityStandard 3DSInitiates 3DSIssuerMerchant notCannot apply 3DSAcquirer/MerchantMerchant/PSP/ acquirerInitiates 3DS flow withIssuer if enticates consumerSCAwith SCA3DS-enabledIssuer if step-up5
The new “legs in, legs out” scenarios have caused ambiguity in the market.The card schemes are actively looking to clear any confusion and will provideeducational materials regarding liability. Once acquirers fully understand theirroles, they can better guide their merchants and PSPs/payment gatewayproviders. There is not a good enough understanding of the impact and benefitsof SCA at the merchant and consumer levels. Acquirers and issuers should look towork with the schemes in educating their customers to better mitigate liability.5EMV 3D Secure 2.1/2.2EMVCo (the joint venture overseen by the six major card associations—AmericanExpress, Discover, JCB, Mastercard, UnionPay and Visa) first published the specsfor EMV 3D Secure 2.0 in 2016. Version 2.1 was designed to improve the shoppingexperience for customers, including frictionless authentication and shortertransaction times. It uses 10 times more data than 3DS 1.0 and improves theoverall user experience. The latest version, 2.2, includes support for exemptionsfor additional types of frictionless authentication, including acquirer/issuer TRA,whitelisting, low-value, one-leg-out and merchant-initiated transactions.It is in acquirers’ best interests to ensure that the latest version of 3D Secure isavailable for their merchants as the primary authentication method, whetherdirectly or via PSPs. The richer data and extended fields are necessary to provideSCA exemptions for card payments.There is also a benefit to merchant customers leveraging the latest version ofEMV 3D Secure, according to projections from the card networks. Merchantswill be able to achieve the same performance levels as physical store merchantsusing Chip and PIN. It will be interesting to see this theory put to the test in realworld conditions.For online purchases, merchants seem to be favoring EMV 3DS as the “go-to”method of authentication through their PSPs or acquirers (via the paymentsgateway) to create flexibility in their choice to leverage SCA exemptions whereappropriate.There appears to be a grey area regarding merchant mobile apps and a widevariety of customer experiences in this scenario. The typical route of a one-timepassword does not seem to apply here. We are beginning to see a move towardsleveraging inherence in the form of biometrics, alongside digital wallets and PINsto combine with SCA.There are some alternative use cases in discussion in the market, although theyare yet to be confirmed.6
6Best Practices for AcquirersPSD2 requires that fraud rates are assessed at the issuer or acquirer level, not bythe individual merchant. This means that acquirers must begin to prepare forSCA ahead of the completion deadline. If acquirers do not offer SCA exemptionsto their merchant customers, they run the risk of impacting the consumerexperience and negatively impacting revenue for both parties. Educating bothmerchants and consumers on the benefits of SCA is critical to the success of theacquirer’s exemptions strategy.Providing value-added merchant services to manage exemptions is criticalas a competitive differentiator and can be rapidly and easily adopted at theacquirer level with the right technologies and partners. Acquirers must also becognizant of rising merchant fraud and consider this in their exemptions strategy.Acquirers should actively engage with their PSPs and merchants to discuss theirauthentication strategies. There may be situations in which a merchant does notwish an available exemption to be applied and the exemption strategy shouldtherefore be jointly agreed between the merchant and acquirer.Even if acquirers have already begun to implement their SCA strategy, theymust re-evaluate it against the EBA’s June 2019 Opinion document. For onlinepurchases, EMV 3DS in combination with a one-time password via SMS or emailwill no longer be acceptable. This will require some acquirers to pivot their SCAstrategy. A combination of a PIN/static password with a one-time password—to satisfy the need for both knowledge and possession—may be one of thesimplest routes to compliance. It’s likely that in the mobile channel, acquirerswill look to leverage biometrics from the device for a combined possession andinherence approach. Bringing the authentication strategies and authenticationmessages into a single solution allows for more sophisticated rules, adaptivemachine learning models, behavioral biometrics data, better investigationand reduced false positive rates. Integration with access control server (ACS)solutions and payment gateways for real-time decisioning on SCA is critical to asuccessful exemptions strategy.Deadline extensions are not an excuse for acquirers to put their feet up—thistime should be treated as an opportunity to accelerate their readiness. Theextension allows acquirers to re-evaluate their strategy and ensure they areimplementing in a way that will add value to their business. SCA exemptionsshould be a part of acquirers’ launch plans for SCA, not seen as a later phase.Compliance must be balanced with customer experience.7
PSD2 RTS-SCA and Exemptions—EMV 3DS ScenarioBoth legs in (issuer and merchant both in the EU)192Order3DS-enabled merchantIf SCA needed,consumer authenticatesConsumer3DS Merchant14 Transaction P/Other8SCA accept decision passedSCA/exemptionresponse10 back to payments gatewayPay Gateway/MI/PSP13ACS dataRISKSOLUTIONReal-Time7ACS6Directory5If issuer SCA needed,call out to the directory11PG invokesauthorizationrequestSCA/exemption call12RT/Non-RT7Issuers ACSAuthorizationresponse irerRISKSOLUTIONReal-TimeRT/Non-RTHow Acquirers Can AchieveSCA Success1. Identify, accept and embrace the need for SCA and an exemptions strategy.2. Adopt the best approach and strategy on how to engage the right technologypartner to assist.3. Implement before the deadline.Find out what these changes mean for issuers.Download PSD2 and Strong CustomerAuthentication (SCA)Recurring paymentsTransactions out of scope for SCA include recurring transactions (afterthe first transaction has been authenticated), MOTO, one-leg-outtransactions and direct debits.Secured corporate paymentsWhere a corporate card is “lodged” with a contracted third party, for example,the details of corporate cards used for managing employee travel expenses areoften held by the approved travel agent, and can be charged with fees after anemployee has reserved flights or hotels. This particular exemption is expected tohave a relatively narrow scope of applicability for the majority of acquirers.Trusted beneficiariesTransactions that are in scope may be rendered exempt from SCA if thecardholder has applied to have the merchant with which they are transactingwhitelisted with their bank (card issuer), and the bank has agreed. Under PSD2,individual cardholders may ask their issuers to “whitelist” merchants they useACI Worldwideregularly—but the decision will ultimately be at the bank’s discretion—and willis a globalAn issuer guidesoftware company that-criticalreal-time payment solutions to corporations. Customuse our proven,ersprovides missiondepend on the level of fraud exposure the bank has experienced with the chosenmerchant and individual TRA.Transaction risk analysisscalable and secureIssuers and acquirers may also exempt a transaction under 500 if they havesolutions to processand managets, enableomni-commercedemonstrably low levels of fraud. This requires that TRA is in place and fraudisdigitalpaymenPSD2 andmerStrong CustonAuthenticatiokept below set exemption threshold values (ETV). These values are: 0.13% for transactions up to 100 0.06% for transactions up to 250 0.01% for transactions up to 500payments, presentand process billand manage fraudpayments,and risk. We combine our global footprinwith local presencte to drive thereal-time digitalof payments andtransformationcommerce.If an acquirer cannot demonstrate a fraud rate below these thresholds, then alltransactions processed via that acquirer will be subject to SCA. This would beLEARN MOREdetrimental to the acquirer’s market share, as undoubtedly merchants wouldwww.aciworldwlook to acquirers that can provide exemptions for a more seamless customeride.comexperience. Therefore, a strong SCA strategy is one that encompasses@ACI Worldwid(SCA)Download Nowrobust TRA and exemptions.econtact@aciworldwide.comThe issuer and acquirer relationshipeAn issuer guidAmericas 1 402390 7600Issuers and acquirers should seek to apply the TRA exemption to allAsia Pacific 656334 4843qualifying transactions to reduce friction and lessen the frequency of Europe,Middle East, Africa 44 (0) 1923 816393SCA that their cardholders will encounter during remote purchases. It’sabout creating a positive customer experience with their merchant, Copyright ACI Worldwide, Inc. 2021ACI, ACI Worldwidepayments instrument and provider of choice, to remain “front of wallet” and, ACI Payments, Inc., ACI Pay,solution namesSpeedpay andare trademarkencourage consumer spending.all ACI product/s or registeredone of its subsidiarietrademarks ofs,trademarks referencedin the United States, other countries ACI Worldwide, Inc., oror both. Otherare the propertyparties’In some cases, issuers may instigate a soft decline and request SCA evenof their respectiveowners.if the acquirer has implemented an exemption—if they are suspiciousWant to knowmore?Learn how UP Payment RiskManagement canhelp issuers achievecompliance andmanage customerexperience inparallelto minimize theimpactof SCA and capitalizeon the opportunity ofexemptions.Read Moreabout the transaction.PART NUMBERNEEDED8
ACI Worldwide is a global software company that provides mission-criticalreal-time payment solutions to corporations. Customers use our proven,scalable and secure solutions to process and manage digital payments, enableomni-commerce payments, present and process bill payments, and managefraud and risk. We combine our global footprint with local presence to drive thereal-time digital transformation of payments and commerce.LEARN MOREwww.aciworldwide.com@ACI Worldwidecontact@aciworldwide.comAmericas 1 402 390 7600Asia Pacific 65 6334 4843Europe, Middle East, Africa 44 (0) 1923 816393 Copyright ACI Worldwide, Inc. 2021ACI, ACI Worldwide, ACI Payments, Inc., ACI Pay, Speedpay and all ACI product/solution names aretrademarks or registered trademarks of ACI Worldwide, Inc., or one of its subsidiaries, in the United States,other countries or both. Other parties’ trademarks referenced are the property of their respective owners.Want to know more?Learn how ACI FraudManagement canhelp acquirers achievecompliance andmanage customerexperience in parallelto minimize the impactof SCA and capitalizeon the opportunity ofexemptions.Read MoreATL1139 04-21
There appears to be a grey area regarding merchant mobile apps and a wide . variety of customer experiences in this scenario. The typical route of a one-time . password does not seem to apply here. We are beginning to see a move towards leveraging inherence in the form of biometrics, alongside digital wallets and PINs to combine with SCA.
