In a previous post, we talked about some of the official exemptions to the Strong Customer Authentication (SCA) requirement that the Regulatory Technical Specifications (RTS) have defined for transactions. If you haven’t read our other posts on PSD2, we highly recommend that you go back and familiarize yourself with the basics of PSD2 SCA requirements, which includes more information and a list of the official exemptions that apply to transactions supported by Braintree.
3D Secure 2.0 (3DS 2.0), the solution Braintree recommends for our merchants, will have the capability to pass flags and indicators when an exemption is requested -- in other words, we will accommodate exemptions if our merchants choose to use them. But how and when should you seek exemptions? How might obtaining an exemption impact the transaction lifecycle?
These topics haven’t gotten as much attention, likely because the answers are not always simple or straightforward. So as part of our ongoing effort to provide insights to help you determine your approach to these nuanced requirements, we’re taking a closer look at some of the factors and forces behind exemptions.
Issuers, not regulators, have the final say
For better or worse, PSD2 regulators didn’t push for standardized ways to support the exemption process. So while the RTS defines exemptions that are available for consideration, it’s ultimately up to the issuing banks to decide whether to accept an exemption request or require SCA on a transaction. The issuers could make their decision for any number of reasons, including internal risk analysis or even technical capabilities for qualifying and routing transactions.
While we anticipate some semblance of consensus evolving over the next couple of years, there are certain to be variations in how each issuer decides to handle exemptions in the shorter term. Some exemptions could end up more widely accepted than others, and they could even vary from market to market depending on how the issuers decide to handle them. Regardless of how the issuers decide to move forward, Braintree will continue working to support and optimize all available exemption paths for our merchants.
Potential pitfalls of seeking exemptions
Obtaining an exemption essentially allows a transaction to take place without adhering to the SCA requirement of needing two factors of authentication. While that may sound appealing, two potential pitfalls could deeply impact revenue:
You will be responsible for any fraud-related chargebacks on exempt transactions. If you obtain an exemption, you also forfeit the ability to shift liability to the issuer.
You will most likely not be able to fight even non-fraud-related chargebacks. The European Payments Council anticipates that “the payer can claim full reimbursement from their PSP in case of an [unauthorized] payment if there was no SCA measure in place and if the payer did not act fraudulently.”
While exemptions may be a useful tool for certain transactions, merchants should be aware of and consider these risks when deciding whether or not to seek them.
Whitelisting: a great idea... in theory
Under the SCA rules, consumers will have the right to “whitelist” trusted beneficiaries -- i.e., the businesses they trust -- allowing issuers to exempt the transaction from SCA requirements. The perception among many merchants is that whitelisting could be a cure-all for SCA-related friction, and on the surface it does sound appealing.
But without a common way for acquirers and issuers to communicate whitelist statuses outside of 3DS 2.0, there will be variation from card network to card network (scheme to scheme) on how these whitelists are created and maintained, as well as how a merchant would confirm if or when a cardholder has been added or removed from their list of trusted beneficiaries. Issuer implementation to support whitelisting is also likely to be sporadic, making it a potentially unreliable path to avoid SCA for merchants -- especially early on.
Longer-term, whitelisting may very well emerge as a useful way for merchants and their customers to work together outside of SCA. But until there are uniform standards in place, there is too much uncertainty for merchants to rely solely on trusted-beneficiary exemptions.
Some friction may actually be a ‘good’ thing
3DS challenges could be seen as cumbersome to merchants, particularly to those who have supported 3DS 1.0 authentications in the past. But since 3DS 2.0 is expected to dramatically reduce the frequency with which a cardholder is prompted to be an active participant in the authentication process, the amount of friction is also expected to be dramatically reduced.
Given all the additional data elements available to issuers to help inform risk-based decisions in the background, the assumption should be that if a cardholder challenge is required, enough flags have been raised to cause concern. In other words, if the issuer suspects fraud, chances are it is fraud. So why not take advantage of this built-in risk algorithm while also protecting your business against potential fraudulent-transaction losses?
In addition to the risk-mitigation benefits, there’s also likely to be an evolution in customer expectations and behavior over time. Merchants who are prepared to adjust to these shifts will be best positioned to optimize their checkout experience and maximize their authorization rates. As 3DS authentication becomes the norm across the EEA region, consumers will become conditioned to expect authentication verification more regularly and could perceive a seller as less-than-trustworthy if they’re not prompted to authenticate. Conversely, in certain markets like the UK where there have been similar authentication mandates in place for some time, the lack of consumer participation in the checkout experience (since 3DS 2.0 allows issuers to authenticate without cardholder involvement) could be jarring and cause for concern -- merchants in markets like this may actually want to take advantage of a feature that allows them to request that the issuer initiate a challenge.
When exemptions may not apply at all
Certain types of transactions will be deemed “out of scope,” meaning that neither SCA nor an exemption will be required. Although these aren’t exemptions per se, they are relevant here and important for merchants to understand.
“One leg out” transactions
SCA is only required when both the cardholder’s issuing bank and the merchant’s acquirer are located in the EEA region. If either of these parties is outside the EEA, then the SCA regulation does not apply. Some issuers may not have the logic in place to identify these types of situations, particularly in the short term after the regulation goes into effect. Braintree continues to recommend that merchants be prepared to handle these transactions accordingly to minimize declines.
Merchant-initiated transactions (MIT)
For merchants that have particular types of interactions with their repeat customers, MITs provide an opportunity to avoid multiple authentication requests in cases where the cardholder is not present, such as recurring billing payment plans with variable amounts (a utility bill, for example) when the standard recurring exemption would not apply. The European Banking Authority has provided some guidance on MITs, and we’ll be exploring this topic further in a future post.
3DS 2.0: part compliance solution, part automated fraud tool
While the ability to request exemptions will be available via Braintree’s 3DS 2.0 integration to merchants who qualify for them, it’s important to remember that exemptions were intended for certain use cases and business models. Merchants who decide to use exemptions will not only miss out on any potential liability shift to the issuer, but it’s also likely that they will give up any recourse to successfully challenge disputed transactions.
3DS 2.0 is, in essence, an automated layer of protection against fraud. It doesn’t require fine tuning or maintenance beyond updates: It’s always on, helping to protect both your customers and your business. 3DS 2.0’s significant improvements over 3DS 1.0, including a seamless experience and secure methods to replace static passwords, have been shown to result in a 70% decrease in cart abandonment and 85% reduction in transaction time.1
If part or all of your payment processing is affected by SCA, it may be worth weighing the risks versus the rewards before deciding if your organization will leverage exemptions. Regardless of which path you take, Braintree has a flexible 3DS 2.0 solution that allows our merchants to control when to seek exemptions or take advantage of the benefits 3DS 2.0 provides.
New and improved 3-D Secure from “Frictionless Experience with Verified by Visa”, a risk-based authentication case study by Visa. ↩