Maximize PSD2’s SCA Exemptions

• Risk of over €100 billion in lost sales (1)
• Surge of CNP fraud in other regions of the world without SCA
• Focus on qualifying transactions within exemption categories

Since 2015 Merchants and payment card Issuers have been grappling with the impact of proposed new regulations from the European Banking Authority (“EBA”). The latest release of regulations, the Second Payment Services Directive (“PSD2”), contains requirements for Merchants and Issuers to employ Strong Customer Authentication ("SCA") protocols for online or eCommerce transactions to reduce fraud. Although these SCA requirements derive from the EBA and only apply in the European Economic Area (“EEA”) for now, they are being supported by the major global payment schemes and are likely to migrate to other regions similar to the EMV® roll-out. Moreover, the history of EMV migration—with fraud surging in regions where  EMV chip cards are not mandated—is likely to repeat in the case of SCA implementation. Fraud follows the path of least resistance. According to TransUnion and Aite Group, card-not-present ("CNP") fraud will increase in places that do not require SCA adoption (2).

The implementation of SCA requirements is a blessing and a curse to payment industry participants. They are intended to promote greater security for digital transactions as well the development of industry standards around SCA protocols. One such protocol, EMV® 3-D Secure (“3DS2"), has been adopted by MasterCard and Visa and they are pushing merchants and issuers to use 3DS2 as part of the solution for PDS2 compliance.

SCA under 3DS2

Generally speaking, SCA means that the entity collecting the payment information in a CNP transaction authenticates the buyer and reduces the risk of fraud. This is done by confirming at least two of the following three elements: (i) something only the customer has, (ii) something only the customer knows, and (iii) something only the customer is. In addition to using 3DS2’s robust, risk-based authentication protocol, this can be achieved by generating a one-time password on the buyer's mobile app or requiring a biometric (such as a fingerprint, facial recognition,...) used to sign onto a banking app.

SCA protocols, whether they include 3DS2 or something else, are controversial because, even if well implemented, they introduce friction into transactions that results [SP2] in abandoned carts and false declines. Indeed, payment industry experts believe that 3DS2 compliance adds between sixty seconds and two minutes to the checkout process and tests have shown that 25% are abandoned by frustrated buyers. That figure increases to 35% when false declines due to 3DS2 technical errors are factored in. There has always been natural tension between authentication efforts and frictionless checkout in eCommerce, but based on 2019 sales figures, the friction caused by PDS2 SCA requirements could potentially cost over €108 billion in lost sales. Perhaps this is why, despite being adopted in 2015, the implementation of PSD2 (including SCA protocols) keeps being postponed (3)(4).

Fit as many sales as possible within PDS2’s SCA available exemptions.

 Based on the secular growth of eCommerce and the resulting growth of CNP fraud, the imposition of the SCA protocols is inevitable. One thing that Merchants and Issuers can do now is to understand the PDS2 exemptions from SCA and take action to ensure that as many sales as possible fit within available exemptions.

There are several categories of transactions that are exempt from the SCA requirement in order to reduce checkout friction. These includes low value transactions, certain recurring transactions, transactions with trusted (whitelisted) beneficiaries, and a category called Transaction Risk Analysis (“TRA”). The TRA exemption is interesting for Issuers because its availability is dependent upon the Issuer’s ability to manage its CNP fraud using measures short of SCA.

Issuers can avail themselves of the TRA exemption for a particular transaction by maintaining an overall quarterly fraud rate within the fraud rates set by the PSD2 regulations. Issuers can only avoid the new SCA rules for euro threshold transactions in tiers where their fraud rates qualify. The exemption fraud rates are tiered based on transaction value as set forth in the chart below.

Complementary, Frictionless Tools to Reduce CNP Fraud

Issuers that want to avoid using SCA in the future, should consider using an existing frictionless, anti-fraud tool that will reduce CNP fraud and keep their fraudulent transaction rates within the TRA exemption thresholds.

CNP fraud rate can be easily improved by digitizing the existing, frictionless Card Security Code that is already on every payment card.

All payment cards certified by the major payment associations (MasterCard, Visa, etc.) already contain a Card Security Code (also called a CVV2, or CVC2). Modernizing this Card Security Code and evolving it to an EVC Dynamic Card Security Code can reduce CNP fraud from card compromise to a much lower rate than with a static code. A card with EVC features a digital display that changes the code each time the card is used in a payment terminal or ATM. EVC technology is the latest innovation in payment card security and was developed especially for eCommerce CNP transactions.

The EVC Dynamic Card Security Code can dramatically reduce CNP fraud by itself and therefore enable Issuers to avoid SCA for transactions up to the highest TRA exemption value.

Furthermore, preventing CNP fraud by upgrading the payment card security code feature to a Dynamic Card Security Code as part of a layered approach, short of SCA, makes sense for the following reasons:

1. Card Security codes are legacy tools that are already accepted by most eMerchants and digitalization models (eWallets enrollments, etc.) are designed to meet this requirement
2. Card Security codes are ubiquitous, entrenched in the payment ecosystem and perceived frictionless by cardholders
3. As a security feature they are complementary and leverage/maximize existing EMV infrastructure

Not every transaction is going to be eligible for an exemption from SCA but, in light of the risk of lost/abandoned transactions due to SCA protocols, it behooves Issuers to utilize available tools that avoid payment friction and maximize the availability of SCA exemptions. EVC Dynamic Card Security Codes are frictionless, transparent, and effective at lowering fraud. Importantly, they are entirely compatible and complementary with PSD2 protocols such as 3DS2.

References :

1.    Finextra – New security measures could block one-third of online EU purchases, September 2020

2.    TransUnion & Aite Group - PSD2: The Advent of The New Payments Market in Europe, March 2019

3.    Finextra – FCA extends SCA deadline by a further six months, April 2020

4.    European Payment Institutions Federation-  Joint industry letter on SCA delay due to COVID-19, April 2020

5.    EUR-Lex - COMMISSION DELEGATED REGULATION (EU) 2018/389, November 2017

EVC™: Ellipse Verification Code™ is a trademark in the U.S. and other countries. The EVC trademark is owned by Ellipse World, Inc.

EMV ® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.