SCA for PSD2 – How bad is it going to fail?

25 august 2020

an article written by Ronald Praetsch, Payment and Risk Consultant / Co-Founder at Payment-Universe / Co-Founder at

With just four months before the enforcement of PSD2 within many European countries, the author depicts what is currently happening with SCA for PSD2 in the region.

Not even the recent unfortunate events due to COVID-19 have moved the position of the European regulators, with only few national competent authorities moving the enforcement deadline to give more time to businesses to adapt with the needed changes (i.e. the Financial Conduct Authority which has decided to give additional time until September 2021).

Looking at the current market status, with lower 3DS2 adoption in some markets, and the most recent COVID-19 development in major European countries, the risk of ‘market failure’ in January 2021 seems rising day after day and the role of part of the payment chain are fundamental to ensure merchant readiness. We still see in some markets a significant number of issuers not being technically ready to accept 3DS2 transactions and the transactions authenticated with the new authentication protocol are currently very low. Furthermore, the level of complexity is getting higher with local regulators following different approaches with some proposing or considering soft decline programs (i.e. France and Netherlands considering September 2020, Belgium at the end of August, Germany still discussing it) and some others fully relying on the EBA timelines.

In such a scenario, the market readiness seems very fragmented. It is not a secret that issuers are more ready in some countries than in others and 3DS2 performances may also vary significantly. Some of the current best performing markets are Denmark and the United Kingdom while on the opposite we have seen Spanish issuers far from being massively ready. Those are markets where we strongly recommend to have volumes already sent to 3DS2 as acceptance ratios are in line or better than 3DS1.

The recent partnership between Netcetera and Mastercard in establishing a merchant testing production environment is an initiative to be welcomed in the market but this shows, on the other side, the efforts in trying to fill the gap which has been previously created due to not having a consolidated way for merchants to test. Considering that issuers had specific mandates from card schemes in the first part of 2020, this can highlight even more how difficult it has been for issuers to implement the new protocol which required efforts on the Access Control Servers used.  We have noticed as well how some specific technical integrations, such as native SDKs are requiring costly efforts with conversion rates which are very low.

As the majority of issuers live on 3DS2 supporting the 2.1 version for Visa and the 2.1+ for Mastercard ones, PSD2 SCA exemptions are still far from being taken really into consideration. In such a situation, it makes much more sense for merchants to ensure they support the correct transaction flagging depending on the performed use cases in order to avoid issuers stepping in with authentication challenges in scenarios where cardholders are not present. As well, the issuers behaviour should be analysed and carefully monitored as some issuers might already massively authenticate cardholders based on data (Risk-Based Authentication) without requesting any challenge and bearing the fraud liability shift. In such scenarios, having a merchant requesting an SCA exemption might not make much sense as the cardholder does not experience any friction during the payment.

Therefore, sharing the right data is fundamental in those cases, in order to ensure that issuers have visibility about the customer behaviour and can easily recognise the genuine patterns based on the risk analysis models. Some of the data points that can help achieve better risk assessment on the issuers side are ‘billing address’, ‘shipping address’ information, cardholder information such as ‘phone number’ or ‘account password changes’, counter data points such as ‘count of transactions’ within the last 24 hours or last year. Additional data such as ‘email address’, ‘cardholder name’ and ‘device fingerprint’ are already available with 3DS2 transactions as required data points.

Adauga comentariu

Cifra/Declaratia zilei

Gabriela Nistor – director general adjunct BT

Tendinţele pe care le-am remarcat înainte de începerea pandemiei s-au accelerat pe perioada stării de urgenţă. Am văzut acest lucru ca o oportunitate, un tipping point pentru bancă. Post-pandemie nu avem cum sa ne întoarcem la comportamentul financiar pe care îl aveam până în februarie a.c. Relaţia românilor cu online-ul s-a schimbat. In plus, cardul fizic se va dematerializa. Vom asista la o scădere a cererii pentru cardurile fizice, respectiv la o creştere a preferinţei pentru componenta digitală a acestora.”


In 23 septembrie 2019, BNR a anuntat infiintarea unui Fintech Innovation Hub pentru a sustine inovatia in domeniul serviciilor financiare si de plata. In acest sens, care credeti ca ar trebui sa fie urmatorul pas al bancii centrale?