PSD2’s Strong Customer Authentication (SCA) enforcement in Europe is just around the corner! Here’s what you can do to make sure that your checkout is ready for the new regulatory requirements.
Strong Customer Authentication
The SCA regulations set a new standard for online payments in Europe. For details on the requirements and standards, take a look at our previous blog on the subject. What this ultimately means is that in order to accept card payments online, 3DS will need to be used to provide authentication. Specifically, if you accept debit/credit cards, Visa Checkout, Secure Remote Commerce, or Non-Network Tokenized Google Pay payment methods in the EEA, you’ll need to ensure that 3DS is ran in order to successfully process those payments.
Other payment methods not mentioned, like Apple Pay and Network-Tokenized Google Pay payment methods, presently include SCA mechanisms as processed through Braintree, and do not require and additional 3DS call.
Enforcement
The European Banking Authority’s (EBA) current end for the “migration period” for PSD2 SCA is December 31st, 2020, where it is expected that it will be broadly enforced by the EEA member states.
Each country’s National Competent Authority (NCA) has flexibility regarding when and how to enforce the SCA requirement on its issuing banks. While it’s expected that enforcement will track with the migration period end date, issuers in each country may begin to decline payments falling in scope of the regulations before the end of the migration period.
The United Kingdom
The United Kingdom’s NCA, the Financial Conduct Authority, has announced that they will be delaying enforcement until at least June of 2021, with expectations to have issuers fully enforcing the regulations by September of that year.
NCA’s are setting these ramp targets ahead of the December date to ensure that merchants and PSP’s can comply with the regulations
How will regulations be enforced?
The regulatory bodies in Europe will largely be carrying out supervision of issuers within their national jurisdiction. As such, issuers will be under instruction to decline transactions that do not adhere to the SCA requirements. Fortunately, issuing banks have new specific decline codes that they can use to signal to merchants that transactions are being declined because of regulatory requirements, which Braintree has distilled to a single response code to use across card networks, decline code 2099:
Our recommendation is to use 3DS up-front for transactions whenever possible, however this decline code can be used to trigger a second transaction attempt with 3DS as a processing strategy as well.
What do I need to do?
To ensure there is not disruption to your checkout experience, we recommend that all European merchants:
- Confirm that you are using the latest version of the Braintree SDK’s where possible.
a) If you’re not sure, check in with your developer to see if your SDK is on the most recent version, which can be found by looking at the SDK’s respective changelog: iOS, Android, Web - Review the 3DS 2 Adoption Guide and ensure you are collecting and passing the data points needed to qualify for a 3DS 2 authentication
- Validate 3DS 2 readiness by sending at least one test transaction for each payment method available in the checkout flow.
a) You can verify this by checking the presence of three d secure info in transaction response payloads, and/or checking for a 3D Secure Information section in a transaction in the Control Panel.
