UK Finance Revised SCA Ramp Up plan - November 2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
UK Finance Revised SCA Ramp Up plan November 2021
UK SCA Ramp Up: Sprint Ramp Up targets – Q1 2022
Ensuring SCA compliance by 14th March 2022 in a controlled manner
Overview
The SCA PMO have previously communicated the industry agreed Ramp Up plan, which was initiated in June 2021 and then reviewed and re-
communicated to industry on 17 September 2021.
• Phase 2 (Implementation of a maintenance Ramp Up) required card issuers to reach a minimum 3% Ramp Up target by 15 October 2021.
• Phase 3 (Sprint Ramp Up) will follow the same principles with revised targets
- Targets will be set for the authorisation flow rather than authentication flow
- Issuers will continue to apply the revised targets regardless of their Ramp Up method (checking non-compliant transactions or sampling transactions sent
to authorisations)
- All monitoring processes in place will continue:
• Issuer metrics – turnaround timelines will be accelerated
• Scheme metrics – data supporting industry wide visibility
• Acquirer metrics – focussed on understanding merchant readiness
- The SCA PMO will continue working with relevant members in the ecosystem to minimise the customer impact
2Revised UK Industry SCA Implementation Plan
UK Only: 2021 - 2022 activities: Enabling a controlled roll out to minimise customer impact
2021 2022 Sept Oct Nov Dec Jan Feb Mar
SCA
Enforcement
Phase 1: Participation Lock In Phase 2: Maintain Ramp Up and Detailed Industry Preparation 14 March 2022
Phase 3: Sprint Ramp Up
3%
By 15th October 2021 15th October to 18th January 2022 18th January 2022 – 14th March 2022
SCA Initiatives Live SCA Ramp up
Authentication: 3DS activated (to include usage of Authentication (3DS) Authorisation
exemptions if applicable)
Exemptions Exemptions and correct flagging (MIT ongoing and other out of scope)
Transaction Risk Analysis (TRA). Other exemptions could include Trusted Beneficiary and Transaction Risk Analysis (TRA). Other exemptions include Secure Corporate Payment
Authorisation: Correct flagging and usage of Secure Corporate Payment and Low Value Payment, MIT ongoing and other out of scope
exemptions
SCA step ups SCA soft declines
All transactions within the scope of SCA (not using an exemption). This includes Transactions in the SCA scope sent directly to authorisation with no exemptions flag. It
Authorisation: Soft decline recognition (if applicable)
Merchants Initiated Transactions (MIT) set up includes LV soft decline when the cumulative LV limit has been reached
3UK SCA Ramp Up Approach: Authorisation
Ramp Up targets have been defined to mitigate the cliff edge implementation and drive merchant
readiness
Transaction flows Issuer Action Target by Mar 22 Risk* Considerations Sprint Ramp Up targets are applicable
regardless of the sampling method applied
by Issuers:
To recognise** all
flagged 1. Checking non-compliance transactions
1. Acquirer TRA or
transactions:
2. Up to £25 NA – As triggered by
Correct Flagging 1. Acquirer TRA Low
merchants/acquirers 2. Sampling transactions sent to
2. LV
3. 100%
4. 100% authorisations
3. SCP
4.MIT ongoing
Gradual introduction
of CLV – Choose 1 or
Soft Declines* a combination of:
• BIN by BIN £85 (or by 5 NA – As triggered by
Medium
Cumulative Low • Inflated CLV transactions) merchants/acquirers
Value (CLV) • Convert into TRA
Soft Declines* Monthly percentage
target to be
Non-Flagged
achieved by 1 or a
In scope with no combination of: Detailed plan provided (on following
100% High
page)
exemption (and issuer • By value
unable to • By frequency
authenticate) • By BIN
4
*Risk of Transactions being declined if they fall in the targetUK SCA Ramp Up Approach: Authorisation
Sprint Ramp Up targets are applicable regardless of the sampling method applied by Issuers
Feb – 15th
Transaction flows Issuer Action
Oct
Nov Dec 18th Jan 22 1st Feb 22 15th Feb 22 1st Mar 22 14th Mar 22
To recognise all
flagged 1. As per acquirer TRA
transactions:
Correct 2. Up to £25
1. Acquirer TRA
Flagging* 2. LV
3. 100%
3. SCP 4. 100%
4.MIT ongoing
Gradual introduction
of CLV – Choose 1 or
Soft Declines** a combination of:
• BIN by BIN As per
Defined by Issuer
Cumulative Low • Inflated CLV BAU
Value (CLV) • Convert into TRA
Sprint Ramp Up
Soft Declines* Monthly percentage
Non-Flagged target to be
achieved by 1 or a
In scope with no combination of: As per
exemption (and
3% 3% 10% 30% 50% 75% 100%
• By value BAU
issuer unable to • By frequency
authenticate) • By BIN
SCA PMO will be monitoring data from top 10 issuers on a fortnightly basis and will adjust as required
*Only main exemptions used commonly across the industry are listed and in the scope of UKF PMO
**Risk of Transactions being declined if they fall in the target Top 10 Issuer Transparency Table to be issued to PMO Task Force to monitor level of impact 5UK SCA Ramp Up: Understanding the impact
The Issuers transparency table (Top 10 only) will be available to the PMO a week after each milestone.
Aggregated industry data will continue to be provided to members on a weekly basis
Metrics Calendar
• Top 10 issuers will provide the metrics data every two weeks as per the table below
• Process for all issuers is still under discussion
Reporting Period (Single day) Issuer Transparency Table
Deadline for Reporting
Based on Sprint Ramp Up Target shared with the ETF*
Tuesday 18th January Friday 21st January Tuesday 25th January
Tuesday 1st February Friday 4th February Tuesday 8th February
Tuesday 15th February Friday 18th February Tuesday 22nd February
Tuesday 1st March Friday 4th March Tuesday 8th March
Monday 14th March Friday 18th March Tuesday 22nd March
Further reporting post enforcement TBC
* Dates only achievable if Issuers provide returns by deadline (no PMO chasing required) and data doesn’t need PMO query or validation with Issuers
6UK SCA Ramp Up Approach: Authentication
Issuers have the flexibility to define their Ramp Up pace to ensure customers, operational and systems
readiness for the SCA Authentication flows
Transaction flows Issuer action Target by Mar 22 Risk* Considerations
Start using an
An inflated TRA is expected to trigger around 2% extra challenges.
Issuer TRA inflated issuer TRA Issuer TRA up to
Low Flexibility: Issuers might use other principles that allows them to prepare their customers for
threshold (pre SCA £85, £220 or £440
SCA exemptions
their target TRA
enforcement)
Issuers to start
recognising
Acquirer TRA acquirer TRA Acquirer TRA up to
threshold Low NA. As triggered by merchants/acquirers
acquirers: using £85, £220 or £440
(only 3DS2.2) the TRA as per
SCA guidelines
Step up (i.e. OTP
An inflated TRA is expected to trigger around 2% extra challenges.
or other 2FA)
Above issuer Flexibility: Issuers might use other principles that allows them to prepare their customers for step
transactions Issuer TRA Medium
TRA threshold ups (i.e. OTP or other 2FA) above the target TRA
above inflated
Linked to Issuer TRA threshold
SCA step ups
TRA
Step up all
e-merchant transactions as per
100% Low NA. As triggered by merchants/acquirers
request merchant request
i.e. MIT first flag
7UK SCA Ramp Up Approach: Authentication
Issuers have the flexibility to define their Ramp Up pace to ensure customers, operational and
systems readiness for the SCA Authentication flows
Transaction flows Feb - Aug Sep 15th Oct Nov Dec 18th Jan 22 1st Feb 22 15th Feb 22 1st Mar 22 14th Mar 22
Issuer flexibility in using alternative strategies to prepare their customers for their target TRA (i.e. Inflated TRA)
Issuer TRA Risk based
(>98%)
threshold authentication
SCA exemptions
% of potential transactions impacted (for reference only)**
Risk based authentication continues
Acquirer
TRA As per acquirer TRA
threshold
(only 3DS2.2)
Above Issuer flexibility in using alternative strategies to prepare their customers for step ups (i.e. OTP or other 2FA) above the target TRA
Risk based step
issuer TRA (>98%)
ups
threshold
SCA step ups
% of potential transactions impacted (for reference only)**
e-merchant
100%
request
*Risk of Transactions Being Declined ** Based on non-secured volume of transactions by band. Source: Implementation TF issuers 8Appendix
9eCommerce Journeys impacted by SCA
Overview of all SCA transaction flows impacted by the regulation. The UKF Ramp Up only will set
targets for the Authorisation flows
merchant/Acquirer
Transaction flows Description Issuer action Friction
action
• TRA thresholds:Issuer Ramp Up Guidance
There are two methods for the ramp up target. Both methods look at authorisation data only
and reach to the same volume of soft-declines
Ramp Up Method SCA Compliance Ramp up Outcomes Pros / Cons of Methods
Approach
(Authorisation 1,000 in-scope ecommerce transactions ✓ Targeting specifically non-compliant
All in-scope e-Commerce transactions
Traffic) transactions to ensure merchants
Authentication Compliant
Transactions 3DS MIT Exemption No flag readiness by SCA enforcement date
with 3DS flags 20%* 10%* 30%* 40%* ✓ Minimising customer impact by not
compliance checking all transactions
Flagged
Compliant ✓ Sending a clear signal to merchants
correctly on importance of exemption flagging
Ramp up target: 400
MIT not Issuers soft and readiness
Method flagged decline non-
1 correctly Some issuers may opt to include MIT not correctly flagged as part of their sampling compliant
Authorisation Soft Decline Targets transactions χ May not include MIT transactions not
(Direct to as per Soft-declines on 18 Jan @ 10% flagged correctly – resulting in large
as per issuer Non- targets:
Authorisation)
approach. For
target: 40 declines at enforcement date
compliant
Non-flagged
example: χ Checks by issuers that will be required
(incorrectly 100% June: soft-
75% decline 10% at enforcement date, would not be
flagged) 50% tested prior to enforcement
• By value 30%
of non-
SCA Soft declines as % of ramp up
• By frequency compliant
10%
transactions target: 10%
• By BIN 3%
Jun -15 15 Oct – 18 Jan 22 1 Feb 22 15 Feb 22 1 Mar 22 14 Mar 22
Oct 17 Jan 22
(Authorisation 1,000 in-scope ecommerce transactions ✓ Targeting all in-scope e-Commerce
All in-scope e-Commerce transactions
Traffic) Checking traffic could lead to more short term
Authentication Compliant SCA
Transactions 3DS MIT Exemption No flag pain in declines (as a percentage of
with 3DS flags compliance 20%* 10%* 30%* 40%* sample) but will provide greater
on all in-
readiness assurance to issuers as all
Flagged scope e-
Compliance Targets Compliant commerce
journeys are being checked
correctly as per issuer ✓ At enforcement date, issuers will be
traffic and Sample size on 18 Jan @10% target: 100
MIT not approach. For soft- 100% compliant
Method flagged example: 100%
declining if ✓ Sending a clear signal to merchants
2 correctly non- No flag on importance of exemption flagging
40%*
Authorisation • By value 75%
compliant and readiness
(Direct to • By frequency
Non- June: 10%
Authorisation) • By BIN of all in
χ May dilute message to target only
50% compliant
Non-flagged scope Soft-declines on 18 Jan: 40 non-flagged (non-compliant)
(incorrectly 30%
transactions transactions.
flagged) are checked
10%
for
3% SCA Soft declines as % of sample: 40%
compliance
Jun -15 15 Oct – 18 Jan 22 1 Feb 22 15 Feb 22 1 Mar 22 14 Mar 22
Oct 17 Jan 22
*Proportions based on 14 – 20 June industry SCA dataYou can also read
