The roadmap to SCA implementation in 2021
Businesses may still have concerns about integrating 3DS2 into their online checkout, but there are plenty of reasons for the industry to be positive.
1 January 2021 — the day Strong Customer Authentication (SCA) was supposed to start being enforced for Card not present transaction (CNP) — has come and gone without a huge amount of fanfare. Many customers wouldn’t have noticed any changes to the way they pay. Many EU regulators have supported migration plans to help with the implementation of SCA.
The Banque de France and others have adopted a phased approach, and will only start full enforcement from April 2021. The FCA will start enforcing SCA on 14 September 2021.
Given the general market readiness and the complexities of SCA, we think it's positive news that regulators have taken this approach. Without the various migration plans the rate of CNP transactions being declined would have significantly increased..
The flipside is that merchants are having to deal with a patchwork of rules, and numerous decisions as the migration plans were made at short notice. This initially created confusion and uncertainty.
SCA implementation: what went wrong?
There are three main reasons why SCA implementation has been so fraught:
- Regulatory uncertainty
- Infrastructural issues
- Lack of awareness
SCA has proved complex and controversial from the outset. Industry players have expressed concern that mandatory SCA might introduce friction and cause billions in lost sales. Meanwhile, the European Banking Authority was still revising its guidance in late 2019. And Brexit and, now, COVID-19, have created further uncertainty, to the point where the FCA specifically cited the pandemic as the reason for pushing back the enforcement date to 14 September 2021 — six months later than originally planned.
The issue of friction has garnered particular attention. In independent testing, the CMSPI found that, if poorly implemented, SCA could add up to two minutes to a transaction, begging the question of how much friction is going to be too much for customers to tolerate.
But the more important question is what will happen to the 29.1% of the EU population that live in rural areas.
This is a significant amount of people who could struggle with SCA due to poor mobile network coverage. So if SCA is to avoid having the unwanted effect of worsening the digital divide, the industry is going to have to start looking more seriously at solutions like card readers and even landline codes.
Incredibly, though, it's lack of awareness that seems to be the biggest stumbling block to smooth implementation.
In 2019, 75% of merchants were unaware of SCA requirements, according to UK Finance.
The same can also be said for consumers. Few have valid phone numbers registered with their bank. There's also a lack of awareness that could create alarm at the new journeys which merchants have to put in place to comply with SCA. These could contribute to cart abandonment. Which means an educational campaign to explain the reason for these changes is very much in order.
What's going to happen next?
As things stand, regulators seem determined to abide by their latest self-imposed migration plans. While there might still be doubt about when SCA rules will start being fully enforced, the regulation will have been in place for two years by the time the FCA's new deadline comes around. At some point, SCA will be enforced. So the best thing for merchants is to prepare.
At Paysafe, we think that 3DS2 is a good thing. Our past research has found that customers tolerate some friction if it means greater security. And, if anything, 3DS2 provides a more user-friendly experience than 3DS v1, because the customer doesn’t need to navigate to a third-party page to finish authenticating their payment.
Crucially, merchants can take advantage of exemptions that weren't available with 3DS v1. Low risk transactions, recurring payments, and payments from customers who have whitelisted the merchant only require SCA on the first payment.
These exemptions not only simplify things. They create new opportunities for merchants to delight customers and encourage them to come back, because loyalty will be repaid by a smoother, more secure payment experience — a win-win for everyone.
It is time to move forward
We have been saying that improvements to card payment security are overdue. With the proliferation of new technologies since 1999, shifts in customer behaviour, and fraudsters' increasingly sophisticated tactics, itis clear 3DS v.1 is no longer fit for purpose. 3DS2 promises to make the checkout more secure.
The roadmap to full adoption of 3DS2, although now clearly laid out by national regulators, is still a confusing one for merchants, especially those with customers across Europe. But the rewards of doing so are substantial, which is why the industry must come together to deliver on the promise of SCA.