Online shopping without soft declines

Why do soft declines occur and how can you avoid them?

Do you know the problem that transactions in your online shop are rejected? Some of the major challenges merchants are facing when getting their online business PSD2 compliant is the handling of so-called soft declines. A soft decline can occur when the card issuer determines that the authorisation does not meet the requirements of PSD2 with regards to the demand for authenticating the payment with Strong Customer Authentication (SCA) mechanisms.

Soft declines mainly affect merchants who do not use the standard integration (Saferpay Payment Page) or merchants who simply do not have a 3-D Secure contract yet.

Learn in this blog article how soft declines occur, why your customers need to authenticate and how to avoid soft declines.

As a refresher: Not every transaction requires SCA. Here is a short summary of reasons when SCA is not needed:

• The payment is executed in a mail/phone order (MOTO) environment, e.g. a call center.
• The payment is executed by the merchant with no involvement of the consumer – a so-called Merchant-Initiated Transactions (MIT), e.g. regular subscription fees or pay-per-use fees.
• The merchant takes liability for fraud by requesting the card issuer to exempt the payment from SCA, e.g. by individually assessing the risk of the payment by implementing a risk assessment process outlined by PSD2.

When none of above applies - especially when merchants are not willing to take the liability for fraud - the payment needs to be authenticated by your customer.

Frictionless authentication cannot completely replace SCA

A powerful tool to increase conversion is a so-called frictionless authentication. This allows card issuers to assess the risk of the payment by inspecting the payment and web browser details and compare it with data recorded in their huge transaction databases. If the risk is acceptable, they may allow the merchant to skip SCA. All data that was used by the card issuer to assess the risk was transmitted without consumer involvement so this causes no additional friction during the checkout process. And the best is that the card issuer is taking the liability for fraud.

While this is great for improving the payment conversion rate it is not suited for initiating regular or recurring payments. PSD2 demands that when initiating these - meaning when paying for the first time - the payment has to undergo full SCA. A frictionless authentication is not enough because the card holder explicitly must grant the right to the merchant to charge him whenever the reason for a subsequent regular payment applies.

Tips & Tricks: Avoid soft declines

We advise merchants to review their integration and follow these principles to avoid soft declines:

Detecting whether you are affected by soft declines

The card acquirer indicates a soft decline with the dedicated response code "1A". This response code can be seen in the failed transactions journal in the Saferpay Backoffice.

When using the JSON API to integrate Saferpay into your application you will also receive the dedicated ErrorName value "PAYER_AUTHENTICATION_REQUIRED". A JSON API error response indicating a soft decline looks like this:

Use 3-D Secure when sending the customer to payment

To allow your customers to authenticate their payments you must use 3-D Secure (3DS). Please ensure that the terminal that you use for customer payments is activated for 3DS. To verify this, login to the Saferpay Backoffice, browse to "Settings > Payment Means / Terminals" and select the relevant terminal from the dropdown list if you use more than one terminal. The check mark in the 3DS column tells you that 3DS is activated.

There is no check mark? Please contact our customer service team or your account manager to assist you with activating 3DS.

Enforce SCA when initiating regular payments

As regular payments need to be initialized with full SCA be sure to enforce authentication in these situations:

• Creating a Secure Card Data (SCD) alias that is going to be used for subsequent payments in the future. SCD aliases can be created by only registering a card or in the context of a customer payment. In both cases full SCA is necessary in order to create PSD2-compliant subsequent merchant-initiated transactions. As pointed out before a frictionless authentication is not enough. Thus, to ensure that full SCA is done you need to explicitly enforce it. See our Integration Guide for details.
• Starting a recurring payment based on a fixed schedule (e.g. subscription fees). The initial payment needs to be fully authenticated in order to create PSD2-compliant subsequent recurring transactions. This also needs to be explicitly enforced as for registrations of card aliases. See our Integration Guide for details.

Ensure to request an exemption when skipping authentication

When sending your customer to payment during a checkout process it is required to perform authentication. However, when merchants are willing to take the liability for fraud in favour of an improved user experience and a higher order conversion rate they can request an exemption for the authentication under certain conditions. It is important to note that merchants need an approval from their card acquirer before requesting exemptions as they might have an impact on the merchant's fraud level as determined by the card acquirer.

It is important to not just skip the authentication but to expressively request an exemption. Otherwise the authorisation will be declined with a soft decline.

Conclusion

Managing soft declines correctly can be challenging. Nonetheless, 3-D Secure 2 does offer great new ways of finding the right balance between fraud risk and higher conversion and comes with an improved user experience compared to its predecessor which makes it worth to go the extra mile.