The countdown to Strong Customer Authentication (SCA) – take action today
Jasmine Wu, Senior Strategy Manager at Barclaycard Business, explains why you need to take urgent action to be SCA-compliant as soon as possible, and what the consequences will be for you and your customers if you don’t.
The deadline for banks to introduce Strong Customer Authentication (SCA) in the UK is fast approaching. To prevent online transaction declines and a loss of card sales, it’s essential that you act now to become SCA-compliant to ensure your customers can complete 2-factor authentication.
From 18 January 2022, non-compliant card transactions in the UK will likely see increasing declines and you could be at risk of losing up to 10% of your card sales. This loss could rapidly rise to up to 50% by mid-February, leading up to 100% by the SCA deadline on 14 March 2022. So, we’ve created this handy article to explain exactly what you need to do and how.
What is SCA?
Strong Customer Authentication (SCA) is part of the European Union’s Payment Services Directive (PSD2), adopted by the UK, designed to make online payments more secure as customers increasingly shop and pay online in the digital age.
SCA requires banks to use two independent authentication elements to verify online payments, also known as two-factor authentication. Methods of authentication include something only the customer knows (such as a password, PIN or secret fact), something only they have (such as a mobile, wearable device, smart card or token), and something the customer is (such as a fingerprint, facial features, voice pattern or iris scan). The industry standard for authenticating card payments is known as 3D Secure (3DS).
Businesses must urgently work with their Payment Service Provider to test and deploy a compliant solution.
Be SCA ready
If you haven’t already, you need to activate 3D Secure (3DS) across ecommerce card transactions as soon as possible. We strongly recommend implementing the latest version of 3DS, EMV 3D Secure (also known as 3DS version 2 or 3DSv2), as the legacy version is due to be decommissioned by card schemes. It also supports better fraud prevention and adapts easily for mobile and in-app experiences.
Non-compliant transactions (without 3DS or valid exemptions) will be increasingly declined from 18 January 2022 in the UK, and after the regulatory deadline on 14 March 2022, all non-compliant transactions will be declined.
Here's what you need to do
- Implement 3D Secure – and if you’re already taking payments using 3DSv1, we strongly recommend that you upgrade to 3DSv2 as soon as possible. Find out how to enable 3DS below.
- Ensure your gateway can re-route transactions after soft declines – if you receive a ‘Request for authentication’ alert from the issuer, make sure your gateway can re-route it to 3DS (ideally EMV 3DS, or 3DSv2). If you’re not sure, we’d encourage you to get in touch or speak to your payment service provider (PSP) directly as soon as possible.
- Flag Merchant Initiated Transactions (MITs) correctly – if you need to charge a customer based on a pre-existing agreement, make sure the transaction is flagged correctly to avoid declines. As above, if you’re uncertain, please check this with your PSP as soon as possible.
- Check if you’re eligible for exemptions – exemptions are compliant ways to bypass authentication if they have low risk of fraud. Learn more about how our Barclaycard Transact solution could help (see below), or check out our FAQs page for the full range of exemption options.
How to implement 3DSv2?
- If you take payments through a third-party payment service provider, please contact them directly as soon as possible.
If your gateway is with Barclaycard (e.g. ePDQ / Smartpay Checkout), we have activated 3DSv2 for all customers. Please check the ePDQ / Smartpay Checkout Back Office Portal for confirmation of this. If you’re not sure if 3DSv2 is being used for all your ecommerce transactions, please review the 3DS Parameters Guide to check if you need to take action. For general 3DSv2 guidance, please read the 3DS Activation Guide.
Why you need to take action
From 18 January 2022, if you are non-compliant, you could be at risk of losing up to 10% of your card sales. This is because UK card issuers are increasingly required to decline non-compliant payments in the run-up to the deadline. That loss of card sales could rapidly increase to up to 50% by the end of February in the run-up to the SCA regulatory deadline.
From 14 March 2022, all online card payments that are non-compliant (not using 3DS or have valid exemptions) will be declined. In short, if you don’t take action as a merchant, you may experience:
• declined transactions and loss of card sales
• potential scheme fines (we’ll provide notice if fines are to be applied)
• Potential increased fraud risk
• Increased customer calls or complaints
The Barclaycard solution – Transact
SCA doesn’t mean online businesses need to sacrifice frictionless customer journeys for the sake of fraud prevention. This is where Barclaycard Transact comes in.
Transact works with your online payment gateway to identify whether a transaction is low-risk. If it’s deemed low-risk, an exemption will apply and the customer won’t have to take the extra verification steps.
We have seen banks and issuers becoming more comfortable with the benefit of exemptions. Approval rates across the EEA and UK are consistently high, particularly for low-risk exemption. This option is the key to unlocking the balance between frictionless customer experience and maintaining low fraud risk, with 3DS being used as a backup. That’s what Barclaycard Transact is designed to help merchants achieve.