REQUEST FOR OFFER:

Concardis | So erreichen Sie uns +49 6196 7873 745

SERVICE REQUEST:

Concardis | So erreichen Sie uns +49 7922 4060

CALL BACK SERVICE:

Concardis | Rückrufservice We will call you back

Report

E-Com Report 2020 DACH

Insights and analyses (only in German)

Download the report

Strong customer authentication (SCA)

Frequently asked questions

General FAQs on SCA
When do the new SCA rules apply?

SCA is obligatory for all payment service providers located in the European Economic Area (EEA) from 14.09.2019. However, the national supervisory authorities (BaFin for Germany) have postponed the requirement for SCA in day-to-day transaction business until 31.12.2020. So, in fact, the SCA only has to be applied from 01.01.2021 onwards.

Which transactions have to use SCA?

SCA is part of PSD2 and applies to all electronic payments (so all ECOM transactions, in particular).
Transactions not affected by SCA are MOTO transactions and MIT (merchant initiated transactions) in which the cardholder is not physically present when the payment is made. Both these non-SCA transaction types must therefore be designated as such in the transaction, so that the card issuer can recognise these transactions as ‘out of scope’. Details of how to designate these transactions are available from the PSP on request.

What is the status of implementation with regard to Payengine 2.0 and 3.0? Is there a timeline which we can share with our customers?

Payengine start.now, speed.up, flex.pro: No adjustments for 3DS2 are necessary for the integration methods Inline Widget and Modal Widget. Concardis will make all necessary implementations available automatically in due time – namely, as of 14 September. No adjustments for 3DS2 are necessary for the use of Paylink. Concardis will make all necessary implementations available in due time – namely, as of 14 September.

Payengine Comfort, Premium, Professional: No adjustments for 3DS2 are necessary for the e-commerce integration type. Concardis will make all necessary implementations available in due time – namely, as of 14 September.

Are there exceptions to this rule?

Yes; although a transaction may be within the scope of SCA, it may be exempt from the SCA obligation as an ‘SCA exception’ under certain circumstances.
Application of these exceptions must always be approved by the acquirer beforehand. By default, Concardis allows all its acquiring customers to use the ‘low value’ exception, which means that transactions in ECOM of up to €30 can be exempt from the SCA obligation. These transactions must be designated accordingly. Details on how to designate the transactions are available from your PSP.

Does Concardis support the TRA exception?

The SCA exception known as TRA (transaction risk analysis) allows a merchant, after asking Concardis, to submit transactions up to a certain amount (€100, €250, €500) without an SCA verification with the corresponding SCA exception designation, depending on the fraud performance.
Concardis does not generally offer this exception at the moment, because it is not certain that a card issuer will also accept this exception. First we have to gain some experience in this area. Concardis plans to introduce this product in mid 2021.

What is meant by ‘liability shift’?

A liability shift is what can happen when transactions are charged back because of suspected fraud and the liability for such transactions, which is originally with the merchant, is shifted to the card issuer.
A chargeback of an SCA-secured transaction because of suspected fraud is covered by this liability shift, so the card issuer has to absorb these defaults itself.

Who is liable for an SCA-secured transaction?

If an SCA transaction is confirmed by the card issuer, any chargebacks are the responsibility of the card issuer, not the merchant.

A hotel room is booked five months in advance and the amount will not be charged.

Does SCA need to occur in this case (also no transaction reservation)? What happens if a charge needs to occur prior to checkout? MIT or SCA?

A first-time transaction using a card which was not previously stored by the merchant must always be subjected to SCA. Charging the card before checkout can only be done without SCA if the merchant has the card on file in the system and SCA was successfully carried out previously.

A room has been paid for, but the bill for the minibar was forgotten. But the guest has already left!

Can this bill be settled via a credentials-on-file transaction (also known as ‘card on file’)?

A credentials-on-file transaction is carried out by a merchant in the absence of the payer. The merchant already carried out a successful SCA procedure when first saving the payment information of the payer and can now submit the transaction with the appropriate identification. If the merchant already has the card on file, in this case no further SCA must be carried out. If this is not the case, the card may not be charged again without undergoing SCA.

Are card-on-file transactions subject to SCA?

Card-on-file transactions are not subject to SCA, but they must be flagged separately in the GICC protocol.

What is an MIT?

MIT (merchant-initiated transactions) should always be used if a merchant has to initiate a transaction and the cardholder is not physically present. It is essential to designate the transaction accordingly (please contact PSP/NSP).
An MIT must always have a reference to a previously successful SCA-authenticated transaction (‘trans id’/‘trace id’) made with the same card number. The use of MIT also requires the merchant to have signed an MIT agreement with the cardholder beforehand, authorising them to debit further payment transactions.
Please ask your PSP/NSP about the exact application of the MIT logic.

Are card-on-file transactions (CoF) subject to SCA?

Basically yes, they are mostly submitted by means of the PSP’s MIT framework. This means that payment transactions for cards on file can be submitted to the acquirer by means of an MIT code from the PSP portal. Details of how to do so are available from the PSP on request.

How does an MIT have to be designated?

For a Mastercard MIT, the BMP 60.54 has to be given the value ‘01’ in the GICC authorisation request.
For a VISA MIT, the BMP 60.49 has to be given with the correct reason code in the GICC message.
The trace id/trans id must be entered in BMP 60.73 for the original successfully authenticated SCA transaction.

Is the merchant liable for an MIT?

If the merchant has not requested an SCA authentication from the card issuer by means of a 3RI request before executing the MIT (only possible from protocol version EMV 3DS 2.2), the merchant is liable for lost payments in the case of fraud.

Does SCA need to be carried out again to charge remaining amounts (above the authorisation amount)?

In this case, a card-on-file transaction is carried out with the appropriate MIT flag, which results in no SCA needing to be carried out again.

What happens if a merchant does not use the SCA?

If a card issuer receives a transaction requiring SCA without the corresponding SCA verification or without an SCA exception designation, it will probably reject it or ask for a second factor to be entered (‘soft decline’/‘step-up’). This only relates to transactions for which the card issuer is based in the EEA.

Who rejects a transaction that is not SCA-compliant?

Concardis recognises non-SCA-compliant transactions and logs them with the others. However, Concardis does not reject these transactions, but forwards them to the card issuer for authorisation. The card issuer will very probably decline these transactions.

What does a ‘soft decline’ mean?

If a card issuer receives a transaction requiring SCA without SCA verification or without a corresponding SCA exception designation, it will very likely ask for a second authentication factor. In this case, the card issuer sends what is known as a ‘soft decline’ message. Often the term ‘step-up’ process is used in this context, but it means the same thing.

Is it necessary to amend the contract with Concardis to use SCA?

Generally speaking, the customer does not have to sign any new contracts with Concardis to use SCA. Legal adjustments are covered by the general terms and conditions.
In certain situations, however, it may make sense to modify the submission of payment transactions, which may then require the contract to be amended. In such cases, the customer will be contacted by a Concardis salesperson.

Has Concardis already told merchants about SCA?

Yes, Concardis has notified all ECOM customers several times about SCA by email – most recently in June 2020. Since then, Concardis sales staff have also spoken to customers specifically about SCA, webinars have been held, the SCA landing page has been updated continuously and the connected PSP/NSP have also been informed via a specially created portal.

What happens if the cardholder does not participate in 3DS2?

Before the technical SCA authentication process is started, the system verifies in direct interaction with the card issuer if the requested card participates in the 3DS2 programme or not.
If the card does not take part, the authentication system will automatically send a 3DS1 request to the card issuer.

BaFin phased launch

In a circular to all German payment providers on 03.12.2020, BaFin gave card issuers the option of phasing in the SCA requirement as follows:
1) SCA is mandatory from 15.01.2021 for transactions above €250.
2) SCA is mandatory from 15.02.2021 for transactions above €150.
3) SCA is mandatory from 15.03.2021 for all transactions.
It is not yet clear whether the card issuers will accept this offer. Indeed, it is clear that some card issuers will not make use of this option, so merchants should generally start using SCA as of 01.01.2021.

Are SCA enforcements standardised across the whole of Europe?

No, unfortunately not. Most EEA countries expect to use SCA from 10–15.01.2021 onwards. The UK is only making SCA mandatory in September 2021

Questions regarding Network Service Providern (NPS) & Payment Service Provider (PSP)
Are terminal payments affected by the SCA changes?

Generally not, since all German terminals already have to process EMV transactions by default (magnetic strip is only allowed as a fallback).
However, there are still a lot of terminals in operation that either:
1) Submit payment transactions by magnetic strip.
2) Also trigger key entry transactions when non-manual entries are made.
In these cases, some changes may have to be made. If the NSP has not already sent information about this to the merchants, merchants should now ask their NSP about SCA.

Does my terminal have to support ‘single tap’?

The term ‘single tap’ refers to how the terminal responds when the card issuer demands a subsequent PIN entry for a contactless payment. In this case, the cardholder should not have to hold their card against the terminal again for SCA verification.
The NSP can tell you whether the terminal already has the software to process the payment correctly in this case.

My authentifications are not working

If your PSP is not Concardis, please talk to your PSP directly, because they are the only ones who can view the 3DS2 authentication logs.
If your PSP solution is the Payengine, please provide the Payengine merchant_id, the exact time stamp, the transaction amount and the response code from the authentication process.

I get the ResponseCode 65 (1A) to my authentication request.

The response code 65 (for MC) or 1A (Visa) means a ‘soft decline’. In this case, an SCA transaction was presented to the card issuer without the corresponding SCA verification/designation.
The card issuer then prompts the transaction system to ask the cardholder for a second factor.
The ‘soft decline’ process has been mandatory for all PSP/acquirers since 01.07.2020. Please get in touch with your PSP straight away to ensure the correct processing of this response code.

My conversion rate has gone down drastically since I activated SCA.

The relevant PSP has to carry out an analysis of the card issuer’s reason for rejection for each transaction. Please get in touch with your PSP straight away.

Does a merchant have to be activated to use SCA?

Yes. Every credit card organisation has its own certification programmes for SCA (and the related protocol versions). SCA authentication providers have to complete these successfully for each credit card organisation. Only then may they offer SCA products to merchants.

Questions regarding Low Value Transactions
Can a merchant use a low value exception without an additional agreement?

Yes, Concardis allows all merchants to use an SCA low value exception correctly without an additional agreement. How the low value exception is to be used in the transaction must be clarified with the PSP.

What are the ‘counters’ in the context of the low value exception?

The low value SCA exception may only be used for transactions of up to €30. In addition, the card issuers have counters for each card number, which continuously monitor two things:
1) The number of consecutive non-SCA-verified transactions may not exceed 5.
2) The total amount of consecutive non-SCA-verified transactions may not exceed €100.
If the card issuer sees that one of the counters has been tripped, it will respond with a ‘soft decline’ and ask the cardholder to carry out another SCA authentication.

Is the merchant liable for a transaction covered by the low-value SCA exception?

If the merchant has not requested an SCA authentication from the card issuer by means of a 3RI request before executing the low value transaction (only possible from protocol version EMV 3DS 2.2), the merchant is liable for lost payments in the case of fraud.

Questions regarding Key Entry
What is a ‘key entry’ transaction?

Strictly speaking, the chip-use criterion ‘key entry’ refers to transactions that are initiated manually at the terminal by using the keypad (i.e. entering the card number).
However, the majority of key entry transactions are not generated by manual entries at the terminal but rather by hotel reservation systems that assign this chip-use criterion to the transaction if the guest is not present when the card is charged.

Do key entry transactions require SCA?

The legislation does not give a clear answer to this question, because it does not say whether key entry transactions count as electronic payment transactions or not. In the EEA, the card issuers mostly consider that key entry transactions require SCA, however, so merchants have to use SCA if they want to avoid a rejection by the card issuer.

What do I have to do as a merchant to ensure that my key entry transactions are still accepted in 2021?

To ensure that key entry transactions from the travel and hospitality sector are still accepted by the card issuers without changing the merchant’s technology, from mid January Concardis will automatically switch transactions that are submitted as ‘key entry’ from this sector to the ‘MOTO’ sales channel before forwarding them to the card issuers. This approach has been officially approved by Visa and Mastercard as an interim solution (so far without a deadline).
Since MOTO transactions are not considered to require SCA, they can still be accepted by the card issuers with SCA verification, even though they are designated as key entry.

Does the Concardis MOTO reflagging apply to all travel and hospitality key entry transactions?

No, AMEX transactions are submitted by the PSP directly to AMEX for processing and not to Concardis, since AMEX is itself the merchant’s acquirer. AMEX has already said that it intends to reject all key entry transactions without SCA verification from 01.01.2021. There is nothing that Concardis can do here, but just has to refer merchants to AMEX.

Card-Schemes
Do AMEX payments also require SCA?

AMEX payments are also considered to be electronic payments and thus are subject to the SCA obligation.

Do JCB payments also require SCA?

JCB payments are also considered to be electronic payments and thus are subject to the SCA obligation. Concardis has not been certified for SCA by JCB, however, because there are very few cards issued under the JCB brand in Europe. JCB transactions can therefore not be processed SCA compliantly.
It is highly unlikely that a JCB card issuer will ask for an SCA verification by sending a soft decline, however, since most of the cards are issued outside the EEA.
Concardis has planned to get certification from JCB on the acquiring host in 2021.

Do Diners payments also require SCA?

Diners payments are also considered to be electronic payments and thus are subject to the SCA obligation. Concardis has completed all the SCA certifications for Diners payments and thus can successfully process Diners transactions both on the acquiring host and on the PSP platform.