SCA is coming, and European merchants must be prepared

This year we’ve seen an unprecedented shift in shopping habits. The COVID-19 pandemic led to a number of European governments instituting stay-at-home orders, and this meant many merchants needed to shift their business model, close temporarily, or accommodate an upshift in ecommerce sales as consumers increasingly shopped online. 

To further complicate matters, regulation from the European Banking Authority comes into enforcement at the end of the year on 31 December 2020. The regulation, which is called Strong Customer Authentication (SCA), requires merchants to implement a 2-Factor Authentication (2FA) solution in order to authenticate payments. The scope of SCA is limited to cards issued within the European Economic Area and there are exemptions available. The 3DS2 industry standard was created to enhance the security of payments by providing the issuer with the option to authenticate the cardholder prior to authorisation. However, as a minimum all ecommerce merchants based in the EEA should implement 3DS in order to implement SCA. 

If a merchant does not employ SCA, they run the risk of a significant number of sales being declined by the respective card issuers. 

Merchants should not only implement 3DS, they should also implement an SCA optimisation tool. This enables the merchant to maximise all the available exemptions and scope criteria, in order to ensure as many sales as possible are processed with no friction. Identifying those payments which are out-of-scope or exempt can help the merchant to provide a smoother customer experience. 

We have heard in conversations with clients and prospects that many businesses are not ready for the looming SCA deadline, or that they do not understand the responsibilities of the merchant in deploying SCA. If merchants are unprepared, they will absorb the impact of a potentially significant increase in declined sales arising from sales where the customer has not been authenticated or where this is no exemption request. 

All is not lost though: there is still time for merchants to prepare for the enforcement deadline. Ideally merchants should have their solution in place well in advance of their country compliance date, in order to make sure everything is running smoothly. Merchants should be aware of the roll-out plan for their country, which may include managed roll-out periods where an increasing percentage of non-compliant transactions could possibly be declined in the lead up to the enforcement date. Each merchant should analyse their transaction profile to understand which payments are in-scope vs out-of-scope, and which qualify for exemptions. They ought to then reach out to vendors to understand which solution best fits their transaction profile and resourcing. 

Some merchants may find that SCA has little or no impact on them due to their sales being out-of-scope. In addition, they may find that a lot of their sales qualify for an exemption based on the value. Some may determine that given their transaction profile they should request 3DS on every sale. There is no one-size-fits-all solution. Each merchant needs to identify the approach and solution that best suits them and their customers, within the bounds of SCA requirements.