Operational resilience – what happens if 3DSecure (3DS) is unavailable?

When 3DSecure fails, online card transactions wouldn’t be authenticated and therefore can’t be completed. This leads to lost sales and also potentially losing customers to competitors. There are three key points of vulnerability that every online business needs to know about and consider:

1. Merchant or gateway outage, e.g. you can’t connect to the 3DS server
2. An issuer or Access Control Server (ACS) outage e.g. Issuer can’t respond
3. A major outage at scheme level e.g. Scheme directory server not responding

Unfortunately, based on our data, these scenarios are not rare. If you, as a merchant of any size, in any sector, don’t have access to exemptions, these points of vulnerability can immediately affect your ability to trade in the EEA and UK in the post-SCA world. This could have devastating consequences for you, particularly if the outage coincides with a major retail event, such as Black Friday, Christmas or January sales. An outage of even a couple of seconds could equate to thousands of pounds in lost revenue.

The good news is, that for the UK and France, there is now an industry recognised solution for when that happens to protect business continuity.
 

Leading the way with the Resilience Framework

This vulnerability introduced by PSD2 and the reliance on centralised infrastructure was always a concern when SCA was proposed. In 2019, John Lewis and Barclays initiated the Resilience Taskforce as a key priority for the UK Finance SCA Programme, to introduce a new Resilience Framework under these special circumstances as an UK industry standard. This is recently adopted by France to protect market stability. It allows merchants and gateways who have exhausted all other options to complete transactions in an SCA-compliant manner. Needless to say, strong governance to prevent misuse and abuse is essential.

An authorisation indicator (or a ‘flag’) has been introduced to let issuers know that either the merchant or gateway is experiencing technical issues and they are temporarily unable to use 3DS. Issuers should then decide whether to authorise such transactions based on their fraud and other usual assessments – they will continue to have the final say. Issuers should not authorise payment if fraud is detected. Meanwhile, merchants and gateway providers must continue to re-establish 3DS connection. As soon as the issue is resolved, they must revert to 3DS and stop relying on this resilience indicator.

Any application to the Resilience Framework will have caps and limits to help avoid misuse, and acquirers will decide how to police this and encourage appropriate use. This gives acquirers and merchants a chance to work towards improvement of their resilience in the long run. If abuse is detected, acquirers can revoke access to the Resilience Framework altogether.

Is this option for me?

As you think about your operational resilience, you need to consider what your fall-back option is when something goes wrong. The best method is still to maximise the use of exemptions because this is well-adopted across the UK and Europe. However, you can adopt the resilience ‘flag’ as a last-resort solution.

If you’d like to utilise this new Resilience Framework, speak to your gateway provider or developer to make the necessary technical changes as soon as possible this year (2021). You should also review any policy changes your acquirer may choose to adopt, including any periodic limits. Though the framework is not mandatory, it can be extremely beneficial, especially in the early adoption stage of 3DS2, when you may encounter teething issues.

At the moment the framework is only recognised by the authorities in the UK and France. More engagements across Europe have begun to pioneer a similar solution for their jurisdictions. We hope other countries will follow suit soon as we firmly believe the framework has the potential to protect business continuity and make a significant difference to merchants in the post-SCA world.