August 17, 2020
Strong Customer Authentication (SCA) and the EMV 3DS Protocol
by Simone Aurighi
What will Happen to Your European Online Traffic by the End of 2020By now you should be pretty familiar with acronyms such as PSD2, SCA, and EMV 3DS (also known as 3DS 2.x). If you are not, then you have a lot to learn if you want to do business with European consumers beyond the end of 2020. Just so we are all on the same page, let's say that PSD2 is the Revised Payment Services Directive, which mandates SCA, Strong Customer Authentication, which can be achieved using EMV 3DS, the newer version of the Three-Domain Secure protocol.
PSD2 was issued back in 2015 by the European Commission to drive safety and innovation in the payments industry in Europe, following the steps already made with the original PSD. It went into effect in September 2019; however, the EBA allowed for an extension of the SCA requirement until December 2020, as most players were not ready with its implementation.
The tragedy is that many players still are not ready today, just less than six months from the end date. Furthermore, the recent pandemic has contributed to making things even worse for everyone, as most payments companies and related providers have had to deal with more pressing issues than focusing on finally achieving full implementation of SCA. Despite several pleas made to the EBA to reconsider the deadline, the ultimate date for enforcement of the SCA requirement remains the 31st of December 2020. Having said this, France is planning to grant an extra three months grace period on a case by case basis, due to the COVID-19 crisis, and possibly move the date of compliance to the 1st of July 2021 altogether; while the UK, today independent from the EBA, has extended the deadline to the 14th of September 2021.
One fundamental dynamic to note is the following: even if you are PSD2 and SCA ready today, it does not guarantee that you will be successfully accepting all payments in Europe by the end of 2020. There are too many players involved in the payment chain, and if just one of them is non-compliant, the payment will not be authenticated. To make things worse, if you are a merchant, the consumer would most likely blame you for the poor experience, even though you are compliant.
This inherent weakness is why it is essential first to be ready and second, to perform as much testing as possible. Testing will enable you to identify the existing gaps and the weakest links in the payment chain. Hopefully, you should be able to address them on time before the development freeze in October. In any case, as a merchant, the best practice is to process the authorization and order still, when a transaction returns unauthenticated (due to errors, declines, or system failures). Nevertheless, please be mindful that eventually, the issuers will start declining transactions that are not correctly authenticated.
For the sake of clarity, let me try to explain everything mentioned above differently. Let's go back one generation to 1995, in a time when eCommerce was still a dream, and assume you want to sell your goods and services across all of Europe. To do so you plan to open one physical shop (remember those?) in each European country, and you want to have the big opening by the end of October, to catch all the extra revenues linked with the upcoming festive season.
Unfortunately for you, all countries have adopted a law that forces you to take some steps before you can sell to their citizens. You must question your European customer about their identity and obtain sufficient information that confirms who they are. This information needs to be authenticated, but you cannot do it yourself, and you cannot even choose who will do it. Your customer makes this choice. You must phone the unknown authenticator, while your customer is waiting at the counter with the goods in the bag.
And here is where the problems outside of your control begin. Because you have gone through the troubles of asking and obtaining all the relevant information, as well as setting up the phone with a working line, you need to instruct all your employees to be as diligent as possible with your customer to ensure you were ready. Still, it would all be in vain, if at the other end the authenticator is not able to recognize the information you are passing through or is not picking up the phone. Yet worse, in some countries, the authenticator might not even have a phone before the end of the year.
In this scenario, your customer will leave your shop empty-handed, and you will remain with empty pockets for no apparent fault on your part. In fairness, it is partially your fault, as you should have checked before opening the shop, if that specific authenticator, randomly chosen by your customer, was ready to receive the information you were trying to send through. Rest assured that the customer will believe you were not able to provide them with what they needed.
It is easy to bring this to 2020: the shop is your website, the goods in the bag are the goods in the basket, the counter is the checkout page, the information collection process is the EMV 3DS protocol, the phone is the API to your PSP/acquirer, the phone line is the data channel, and the authenticator is the issuer. All the different components must work together for you to be able to satisfy your customer. Moreover, the whole process today should take milliseconds instead of minutes and should be seamless, as ideally the consumer does not even notice this happens.
This example highlights the complexity of ensuring that all links of the payment chain are correctly set up and work well together in a continuous sequence. As today most of these links are outside your control, it is crucial to perform as much testing as possible. Testing should be done involving all players because it is the only way to see if SCA works and delivers on the promise of safer and friendlier payment experiences.
The recommendation is, therefore, to not just tick the boxes for your end of the process, thinking "I have done what I was supposed to do," as you will still be the one paying the price for the other players not doing what they were supposed to do. If you want your customers to be happy with your services, reach out to as many players as possible and cooperate with them in an extensive testing plan. You will help them help you help your customers.