Sysnet’s Natasja Bolton: The crucial compliance steps for merchants

Natasja Bolton, strategic partner support/engagement manager at Sysnet writes for on the important steps merchants need to take to ensure compliance with SCA in time for the enforcement deadline.

With the deadline extension to PSD2’s Strong Customer Authentication (SCA) well underway, there are steps that merchants must take so they can support SCA across their online and mobile commerce channels as SCA starts to be enforced by Account Servicing Payment Service Providers ASPSPs and card issuers. While card acquirers do have a big role to play in helping merchants get ready, the merchants are ultimately responsible for the readiness of their own payment acceptance methods and systems. 

What do merchants need to do? 

There is relief in knowing that the industry is actively trying to avoid negatively impacting customers as a result of the rollout of the European Banking Authority (EBA)’s Regulatory Technical Standards (RTS) and its mandated requirement of SCA for remote electronic payment transactions.  Merchants need to take action now to make sure they also are not negatively impacted. They need to be able to support SCA to minimise ASPSP/issuer declines of transactions. While the revised SCA enforcement deadline for these regulated firms is 31 December 2020 (pushed back even further to 14 September 2021 in the UK), merchants need to be aware and take advantage of the fact that card issuer SCA is also being driven by card scheme mandates.  

One of the reasons the original September 2019 SCA enforcement deadline was postponed was that in summer 2019 many EEA card issuers were still not ready to support 3D Secure 2 (EMV 3DS).  Now however, the card schemes have aligned their mandates with the revised SCA deadline to ensure EEA issuers are ready well in advance of December 2020.  Both Visa and Mastercard’s EMV 3DS issuer mandates have now passed for all regions except Visa U.S (August 2020).  

For merchants this means that, if they implement EMV 3DS solutions for all online channels (including mcommerce and in-app payments), they can immediately commence making EMV 3DS authentication attempts to the card issuer and benefit from the fraud liability shift.  Merchants should note that, until the US EMV 3DS activation mandate passes, they will need to be able to fall back to 3D Secure 1 authentication to get fraud liability shift from a US issuer that still only supports 3D Secure 1.

Merchants need to remain (or get) engaged with their Payment Service Provider (PSP).  Merchants need to make sure they have implemented support for EMV 3DS and, if they offer direct from account payment methods, support integration with the ASPSP’s SCA method.  Merchants should also discuss with their PSP how they can best take advantage of SCA exemptions – such as the Transactional Risk Analysis (TRA) exemption where there may be an option to and a benefit in the merchant taking on risk analysis from their acquirer (‘delegated authority’).  

Merchants may want to consider performing their own risk/fraud monitoring before submitting transactions as this helps minimise the number of fraud attempts being passed to the acquirer and issuers, helping to keep fraud rates low. Working with the acquirer to minimise fraud can help maximise the number of transactions for which the acquirer can apply the TRA SCA exemption.  

Acquirers with the lowest overall fraud rate can apply the TRA Exemption for the highest value transactions, for example an acquirer with a reference fraud rate 0.01% and below can apply for the TRA exemption for transactions up to €500.

Given the potential impact of SCA on the consumer’s checkout experience and the potential for SCA to increase the rate of cart abandonment, merchants should consider whether their payments model could be amended to allow them and their customers to take advantage of the recurring payments SCA exemption or the fact that merchant-initiated transactions (MIT) are out of scope. For example, once an agreement for future payments is established with the customer (using SCA), all subsequent payments under that agreement are triggered by the merchant and flagged as MIT. There is no need for SCA and no risk of abandonment as the merchant has already established the consumer commitment to purchase.

Merchants can also learn from industry developments and watch out for the availability of trusted beneficiary whitelisting to consumers. Issuer SCA implementations will start to offer the consumer the choice to whitelist the merchant as a Trusted Beneficiary (e.g. as a checkbox option during the authentication step). 

Acquirers may be able to register their merchants on Visa’s Trusted Listing programme which may help them get on their customers’ Trusted Beneficiary whitelist.  Once whitelisted, subsequent consumer payments to the whitelisted merchant are exempt from SCA; although the ASPSP/issuer still has the right to require SCA.