Strong Customer Authentication soft declines

Strong Customer Authentication: Soft declines have started in Germany.

Strong Customer Authentication (SCA) and PSD2 have been some of the most discussed topics of 2020 in the payments industry, considering the impact on merchants and online consumers. Soft decline staged approaches have been introduced by many different national competent authorities to allow for a transition phase before the full PSD2 2021 enforcement.

BaFin (the German regulator) has as well provided guidance as well to issuers in order to introduce soft-decline policies.

What is a Soft-Decline?

In a few words, a soft-decline is a declined authorization where the issuer requests a Strong Customer Authentication in order to make it successful. In this case, the merchant should re-submit the authorization after successfully authenticating with 3D Secure their customers first.

Germany SCA Enforcement Plan

Bafin has initially announced that SCA will not be enforced until 31st December 2020. This was followed by a communication where issuers were recommended to follow a soft-decline rump-up plan between mid-January 2021 and mid-March 2021 as per the planning below:

  • From 15th of January transactions above 250 EUR
  • From 15th of February transactions above 150 EUR
  • From 15th of March for all non authenticated transactions

For the full European enforcement list, take a look at our previous blog post about it.

Are Issuers in Germany declining non-authenticated transactions?

Yes, we have started to see an increase in transactions declined in case of missing 3D Secure authentication for amounts are above 250 euros.

On the 15th of January, almost 20% of authorizations missing strong customer authentications have been declined by German Issuers. We are not seeing a considerable amount of non-authenticated transactions below 250 euros being declined.

SCA 3DS2 Germany

As a merchant, what should you do?

For all transactions where Strong Customer Authentication (SCA) is required according to the PSD2 Regulatory Technical Standards (RTS) you should perform SCA using a 3D Secure solution (both 3DS1 and 3DS2 are considered compliant).

In case your transactions do not require Strong Customer Authentication (SCA), make sure that those are flagged according to the technical requirements of your Payment Gateway. For Mail-Order/Telephone-Order (MOTO) transactions and Merchant-initiated Transactions (MIT), it is fundamental to have those indicated during the authorization requests, otherwise, issuers will most likely consider those as none-compliant. In case your transactions are correctly flagged and they still receive a decline with reason code “Strong Customer Authentication required”, please contact your payment gateway to start an investigation with the card schemes (Mastercard, Visa, etc.) and contact directly the responsible Issuers.

As a PSP, what should you do?

It is extremely important to keep constantly the situation under control establishing an extensive monitoring framework with a quick process to inform the impacted merchants. We have seen some issuers declining MIT transactions, be sure that those are being flagged correctly during authorizations and if abnormal behaviour is experienced get in touch with issuers and/or card schemes.

For solutions where the transaction flow is directly under the payment gateway control (i.e. hosted payment pages) we have seen that the most common approach is simply to restart the flow, when possible, with a 3D Secure authentication request flow.

If you are experiencing troubles with 3DS2 and your PSD2 strategy, let’s schedule a call.