UK Finance Revised SCA Ramp Up plan - November 2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
UK Finance Revised SCA Ramp Up plan November 2021
UK SCA Ramp Up: Sprint Ramp Up targets – Q1 2022 Ensuring SCA compliance by 14th March 2022 in a controlled manner Overview The SCA PMO have previously communicated the industry agreed Ramp Up plan, which was initiated in June 2021 and then reviewed and re- communicated to industry on 17 September 2021. • Phase 2 (Implementation of a maintenance Ramp Up) required card issuers to reach a minimum 3% Ramp Up target by 15 October 2021. • Phase 3 (Sprint Ramp Up) will follow the same principles with revised targets - Targets will be set for the authorisation flow rather than authentication flow - Issuers will continue to apply the revised targets regardless of their Ramp Up method (checking non-compliant transactions or sampling transactions sent to authorisations) - All monitoring processes in place will continue: • Issuer metrics – turnaround timelines will be accelerated • Scheme metrics – data supporting industry wide visibility • Acquirer metrics – focussed on understanding merchant readiness - The SCA PMO will continue working with relevant members in the ecosystem to minimise the customer impact 2
Revised UK Industry SCA Implementation Plan UK Only: 2021 - 2022 activities: Enabling a controlled roll out to minimise customer impact 2021 2022 Sept Oct Nov Dec Jan Feb Mar SCA Enforcement Phase 1: Participation Lock In Phase 2: Maintain Ramp Up and Detailed Industry Preparation 14 March 2022 Phase 3: Sprint Ramp Up 3% By 15th October 2021 15th October to 18th January 2022 18th January 2022 – 14th March 2022 SCA Initiatives Live SCA Ramp up Authentication: 3DS activated (to include usage of Authentication (3DS) Authorisation exemptions if applicable) Exemptions Exemptions and correct flagging (MIT ongoing and other out of scope) Transaction Risk Analysis (TRA). Other exemptions could include Trusted Beneficiary and Transaction Risk Analysis (TRA). Other exemptions include Secure Corporate Payment Authorisation: Correct flagging and usage of Secure Corporate Payment and Low Value Payment, MIT ongoing and other out of scope exemptions SCA step ups SCA soft declines All transactions within the scope of SCA (not using an exemption). This includes Transactions in the SCA scope sent directly to authorisation with no exemptions flag. It Authorisation: Soft decline recognition (if applicable) Merchants Initiated Transactions (MIT) set up includes LV soft decline when the cumulative LV limit has been reached 3
UK SCA Ramp Up Approach: Authorisation Ramp Up targets have been defined to mitigate the cliff edge implementation and drive merchant readiness Transaction flows Issuer Action Target by Mar 22 Risk* Considerations Sprint Ramp Up targets are applicable regardless of the sampling method applied by Issuers: To recognise** all flagged 1. Checking non-compliance transactions 1. Acquirer TRA or transactions: 2. Up to £25 NA – As triggered by Correct Flagging 1. Acquirer TRA Low merchants/acquirers 2. Sampling transactions sent to 2. LV 3. 100% 4. 100% authorisations 3. SCP 4.MIT ongoing Gradual introduction of CLV – Choose 1 or Soft Declines* a combination of: • BIN by BIN £85 (or by 5 NA – As triggered by Medium Cumulative Low • Inflated CLV transactions) merchants/acquirers Value (CLV) • Convert into TRA Soft Declines* Monthly percentage target to be Non-Flagged achieved by 1 or a In scope with no combination of: Detailed plan provided (on following 100% High page) exemption (and issuer • By value unable to • By frequency authenticate) • By BIN 4 *Risk of Transactions being declined if they fall in the target
UK SCA Ramp Up Approach: Authorisation Sprint Ramp Up targets are applicable regardless of the sampling method applied by Issuers Feb – 15th Transaction flows Issuer Action Oct Nov Dec 18th Jan 22 1st Feb 22 15th Feb 22 1st Mar 22 14th Mar 22 To recognise all flagged 1. As per acquirer TRA transactions: Correct 2. Up to £25 1. Acquirer TRA Flagging* 2. LV 3. 100% 3. SCP 4. 100% 4.MIT ongoing Gradual introduction of CLV – Choose 1 or Soft Declines** a combination of: • BIN by BIN As per Defined by Issuer Cumulative Low • Inflated CLV BAU Value (CLV) • Convert into TRA Sprint Ramp Up Soft Declines* Monthly percentage Non-Flagged target to be achieved by 1 or a In scope with no combination of: As per exemption (and 3% 3% 10% 30% 50% 75% 100% • By value BAU issuer unable to • By frequency authenticate) • By BIN SCA PMO will be monitoring data from top 10 issuers on a fortnightly basis and will adjust as required *Only main exemptions used commonly across the industry are listed and in the scope of UKF PMO **Risk of Transactions being declined if they fall in the target Top 10 Issuer Transparency Table to be issued to PMO Task Force to monitor level of impact 5
UK SCA Ramp Up: Understanding the impact The Issuers transparency table (Top 10 only) will be available to the PMO a week after each milestone. Aggregated industry data will continue to be provided to members on a weekly basis Metrics Calendar • Top 10 issuers will provide the metrics data every two weeks as per the table below • Process for all issuers is still under discussion Reporting Period (Single day) Issuer Transparency Table Deadline for Reporting Based on Sprint Ramp Up Target shared with the ETF* Tuesday 18th January Friday 21st January Tuesday 25th January Tuesday 1st February Friday 4th February Tuesday 8th February Tuesday 15th February Friday 18th February Tuesday 22nd February Tuesday 1st March Friday 4th March Tuesday 8th March Monday 14th March Friday 18th March Tuesday 22nd March Further reporting post enforcement TBC * Dates only achievable if Issuers provide returns by deadline (no PMO chasing required) and data doesn’t need PMO query or validation with Issuers 6
UK SCA Ramp Up Approach: Authentication Issuers have the flexibility to define their Ramp Up pace to ensure customers, operational and systems readiness for the SCA Authentication flows Transaction flows Issuer action Target by Mar 22 Risk* Considerations Start using an An inflated TRA is expected to trigger around 2% extra challenges. Issuer TRA inflated issuer TRA Issuer TRA up to Low Flexibility: Issuers might use other principles that allows them to prepare their customers for threshold (pre SCA £85, £220 or £440 SCA exemptions their target TRA enforcement) Issuers to start recognising Acquirer TRA acquirer TRA Acquirer TRA up to threshold Low NA. As triggered by merchants/acquirers acquirers: using £85, £220 or £440 (only 3DS2.2) the TRA as per SCA guidelines Step up (i.e. OTP An inflated TRA is expected to trigger around 2% extra challenges. or other 2FA) Above issuer Flexibility: Issuers might use other principles that allows them to prepare their customers for step transactions Issuer TRA Medium TRA threshold ups (i.e. OTP or other 2FA) above the target TRA above inflated Linked to Issuer TRA threshold SCA step ups TRA Step up all e-merchant transactions as per 100% Low NA. As triggered by merchants/acquirers request merchant request i.e. MIT first flag 7
UK SCA Ramp Up Approach: Authentication Issuers have the flexibility to define their Ramp Up pace to ensure customers, operational and systems readiness for the SCA Authentication flows Transaction flows Feb - Aug Sep 15th Oct Nov Dec 18th Jan 22 1st Feb 22 15th Feb 22 1st Mar 22 14th Mar 22 Issuer flexibility in using alternative strategies to prepare their customers for their target TRA (i.e. Inflated TRA) Issuer TRA Risk based (>98%) threshold authentication SCA exemptions % of potential transactions impacted (for reference only)** Risk based authentication continues Acquirer TRA As per acquirer TRA threshold (only 3DS2.2) Above Issuer flexibility in using alternative strategies to prepare their customers for step ups (i.e. OTP or other 2FA) above the target TRA Risk based step issuer TRA (>98%) ups threshold SCA step ups % of potential transactions impacted (for reference only)** e-merchant 100% request *Risk of Transactions Being Declined ** Based on non-secured volume of transactions by band. Source: Implementation TF issuers 8
Appendix 9
eCommerce Journeys impacted by SCA Overview of all SCA transaction flows impacted by the regulation. The UKF Ramp Up only will set targets for the Authorisation flows merchant/Acquirer Transaction flows Description Issuer action Friction action • TRA thresholds:
Issuer Ramp Up Guidance There are two methods for the ramp up target. Both methods look at authorisation data only and reach to the same volume of soft-declines Ramp Up Method SCA Compliance Ramp up Outcomes Pros / Cons of Methods Approach (Authorisation 1,000 in-scope ecommerce transactions ✓ Targeting specifically non-compliant All in-scope e-Commerce transactions Traffic) transactions to ensure merchants Authentication Compliant Transactions 3DS MIT Exemption No flag readiness by SCA enforcement date with 3DS flags 20%* 10%* 30%* 40%* ✓ Minimising customer impact by not compliance checking all transactions Flagged Compliant ✓ Sending a clear signal to merchants correctly on importance of exemption flagging Ramp up target: 400 MIT not Issuers soft and readiness Method flagged decline non- 1 correctly Some issuers may opt to include MIT not correctly flagged as part of their sampling compliant Authorisation Soft Decline Targets transactions χ May not include MIT transactions not (Direct to as per Soft-declines on 18 Jan @ 10% flagged correctly – resulting in large as per issuer Non- targets: Authorisation) approach. For target: 40 declines at enforcement date compliant Non-flagged example: χ Checks by issuers that will be required (incorrectly 100% June: soft- 75% decline 10% at enforcement date, would not be flagged) 50% tested prior to enforcement • By value 30% of non- SCA Soft declines as % of ramp up • By frequency compliant 10% transactions target: 10% • By BIN 3% Jun -15 15 Oct – 18 Jan 22 1 Feb 22 15 Feb 22 1 Mar 22 14 Mar 22 Oct 17 Jan 22 (Authorisation 1,000 in-scope ecommerce transactions ✓ Targeting all in-scope e-Commerce All in-scope e-Commerce transactions Traffic) Checking traffic could lead to more short term Authentication Compliant SCA Transactions 3DS MIT Exemption No flag pain in declines (as a percentage of with 3DS flags compliance 20%* 10%* 30%* 40%* sample) but will provide greater on all in- readiness assurance to issuers as all Flagged scope e- Compliance Targets Compliant commerce journeys are being checked correctly as per issuer ✓ At enforcement date, issuers will be traffic and Sample size on 18 Jan @10% target: 100 MIT not approach. For soft- 100% compliant Method flagged example: 100% declining if ✓ Sending a clear signal to merchants 2 correctly non- No flag on importance of exemption flagging 40%* Authorisation • By value 75% compliant and readiness (Direct to • By frequency Non- June: 10% Authorisation) • By BIN of all in χ May dilute message to target only 50% compliant Non-flagged scope Soft-declines on 18 Jan: 40 non-flagged (non-compliant) (incorrectly 30% transactions transactions. flagged) are checked 10% for 3% SCA Soft declines as % of sample: 40% compliance Jun -15 15 Oct – 18 Jan 22 1 Feb 22 15 Feb 22 1 Mar 22 14 Mar 22 Oct 17 Jan 22 *Proportions based on 14 – 20 June industry SCA data
You can also read