By Michael Sass, Vice President Product Management Security Solutions at Mastercard
With only 10 weeks to the end of the year, strong customer authentication (SCA) is almost upon us. For those of us who have been working tirelessly on turning the legal requirements into a frictionless customer experience, this is probably the most important milestone in this multi-year process.
With Mastercard ID Check, which is based on the new EMV 3DS standard, we have a solution that should benefit everyone: cardholder, issuer and retailer. While providing greater security in online transactions, it also allows for a more frictionless experience, despite the heightened security requirements.
Unfortunately, I know that many players in the ecosystem are still struggling to get everything in place and run all necessary tests before the deadline. And despite the advent of the pandemic, the authorities in most EU countries have decided that a further postponement of that regulatory deadline will not happen.
However, there is also some good news: 85% of EEA ecommerce volumes now support EMV 3DS with an issuer ACS (Access Control Servers, the issuing bank’s processor) and on average, across the European Economic Area, EMV 3DS outperforms 3DS1 (currently used) in terms of authentication success rate and authorization approval rate. It is therefore not surprising that EMV 3DS volumes are growing by an average 20% week-on-week since end of September. This trend will hopefully accelerate as more EMV 3DS usage will lead to better fraud prevention models.
At the same time, however, almost all 3DS servers and their merchants take around 2 months to reduce errors below 1% after turning on EMV 3DS despite EMVCo and scheme certification.
We therefore recommend that merchants do the following as soon as possible:
- If you are an online merchant, perform PSD2 Merchant testing free of charge via https://3dss.netcetera.com/mastercard-psd2-testing/
- Start replacing 3DS1 authentications by EMV 3DS, initially 10%, especially in the following countries where EMV 3DS performance beats 3DS1 and where at least 85% of ecommerce volumes support EMV 3DS with an issuer ACS: UK, Czech Republic, Austria, Romania and Slovakia.
Furthermore, we have also developed an Authentication best practice guide that provides guidance on how to address the most common reasons why transactions could fail after the implementation of EMV 3DS, such as:
- Merchant is not correctly registered with the merchant ID/acquirer BIN used in EMV 3DS authentication requests (will be rejected).
- Merchant and acquirer not sending all the EMV 3DS authentication data in authorizations (dynamic linking not possible).
- Merchant gateway sends special characters (e.g. üâé) in the cardholder name field in EMV 3DS authentication requests (will be rejected).
As the main shopping season of the year approaches, let’s make sure that together we serve our customers the best we can and avoid false and unwanted declines. With that in mind, let’s make sure we’re ready as much as we can be ahead of the deadline set by the regulator.