How acquirers meet Mastercard’s new SCA standards
published : 21 Jul 2021 at 13:00
As of January 2021, The EU Revised Directive of Payment services has implemented new SCA or Strong Customer Authentication rules across the European Economic Area.
This means several important things for customers who use e-payment systems and make online purchases on a daily basis, for payment service providers, who now need to adhere to new, stricter safety policy and pay extra for using it, and for businesses, who need to check whether their Internet-acquiring partner passes the new requirements and can continue processing their payments.
The new SCA requirements were adopted by all major card issues, such as Visa, American Express, Mastercard. Mastercard Identity Check is the branded version of 3D-Secure 2.0 protocol and is fully compatible with the new SCA policy of double authentication.
The new rules involve the use of at least two co-dependent methods of user authentication, something that has been in use for a while already in banking, but often neglected when it came to online payments. As soon as the new SCA rules are applied, it means that a customer is no longer able to make an online purchase by just providing their card number, issue date, name and secure code from the back of it. Now, they need to additionally verify the payment with something they know, like a PIN number or a password, something they possess, like a token or a personal identifiable mobile phone, or a unique physical ID trait, like a fingerprint or the use of a facial recognition tech. It is hoped that the new policy implementation will reduce fraud and chargeback rates in online payments by making it impossible to complete a payment using just the card credentials.
This blanket requirement certainly lifts the security level of e-payments across Europe to a new level, but it also poses a challenge for many e-payment systems and online acquirers, since they have to mandatorily implement 3DS2. For payment service providers, it means that in the majority of the EU countries, the cost of 3Dsecure usage per transaction goes up from 2 cents to 4 and to 6 in France. This alone is expected to cost European economies approximately 25 million euro a year.
Starting from January 2021, almost all online payments that do not comply with the new SCA policy, get rejected. However, Mastercard makes a few exceptions. Under certain conditions, payments below 30 Euro may not require SCA authentication. The same goes for transactions to trusted merchants or repetitive transactions of the same value.
This also means a significant technical upgrade in the online payment process, for both payment service providers and for online retailers. Although Mastercard, for instance, has created a workflow that ensures smooth transfer to fully double-authenticated payments.
The new Mastercard Identity Check features include the following:
- Security is increased with dynamic passwords and biometry checks
- Credential-on-File (COF) is supported for mobile and in-app payments
- Tokenization is supported
- Ability to test the new requirements with EMV 3DS Testing Platform to ensure everything is running well before the compliance deadline
- Soft decline support, meaning, if 3DS2 authentication is available, but was not carried out during a transaction, the user will be prompted to go through SCA authentication to complete the transaction
Is this going to be a problem for PSPs to quickly embrace the new rules? Several European countries have already postponed the obligatory launch of the new policy in order to create a time buffer for businesses who need a transition period.
Merchants will have to enrol their merchant ID and acquirer BIN combination in Identity Check, and this has to be done by their acquirer. Which leaves a question open for each merchant, whether their acquirers have transferred to the usage of 3DS2. Many leading European online acquiring and epayment companies, such as Connectum Limited, have already transferred to 3DS2, making it easier for their merchant accounts to adapt to the new policy.
Keep in mind that if your acquiring partner hasn’t yet transferred to 3DS2, it will take them up to 3 months. If you do not have this time on your hands, it may be wise to apply with an acquirer who already adheres to the new rules. Most large and medium payment gateways, like the above-mentioned Connectum Limited, have already transferred to SCA. If as a merchant you work through your own payment gateway, meaning, you are PCI DSS certified, bear in mind that it will take you 2-3 weeks to transfer to 3DS2.
As of now, the compliance deadline in Europe and the UK is 14 September 2021. Businesses have only a couple of months to switch before their customer transactions that are not exempt or authenticated properly become declined. For those who rely heavily on online presence in terms of revenue, and this is especially vital in the times of pandemic, it is essential to meet this deadline. If you are a merchant, you should check with your payment processing partner whether your payments support 3DS2, how to transfer and test it if not, and check which exceptions you can use to improve your customer experience.