• Developers
  • Reporting
  • Disputes
  • Contact us
  • Log in

Main Navigation

  • Account

      Account

        • Customer docs & pricing

          Find important documents such as our Terms of Service and Merchant Operating Instructions, as well as more information on things like Stored Credential Transactions and the Account Updater Service

        • Compliance & security

          For more information on Strong Customer Authentication, PCI Compliance, and fraud prevention best practices

        • Stationery ordering

          Order your tally rolls, card scheme logo stickers, and more

        • FAQs

          Our FAQs can help you with queries including pricing changes, cleaning and restarting your terminals, and Multi-Factor Authentication

  • Products

      Products

        • POS help
        • Ecommerce help
        • Bank Payment
  • Insights
  • Trending Articles
Sign up
Search

Main Navigation

  • Account
      Account

      Account

    • Customer docs & pricing
    • Compliance & security
    • Stationery ordering
    • FAQs
  • Products
      Products

      Products

    • POS help
    • Ecommerce help
    • Bank Payment
  • Insights
  • Trending Articles
    • Developers
    • Reporting
    • Disputes
    • Contact us
    • Log in
    Sign up /en-gb/sitecore/content/gpn/corporate/corporate/home/modals/signup-homepage

Sidebar Navigation

  • Account -
    • FAQs +
      • Pricing frequently asked questions +
      • PCI Frequently asked questions +
      • Best practice for cleaning your POS device(s) +
      • Terminal restart guide +
      • CNP FAQs - resubmitting declined transactions +
      • Multi-Factor Authentication for Global Payments Ecommerce Portal +
      • Ecommerce FAQs +
      • Bank Payment FAQs +
      • Your invoice explained +
      • How do I make a complaint +
    • Customer Docs & Pricing +
      • Terms of Service +
      • Merchant Operating Instructions +
      • Interchange fee update +
      • Recovered card form +
      • Mastercard and Visa Interchange rates +
      • Merchant Data Processing Notice +
      • Enhanced Authorisation Data Service merchant implementation guide +
      • Stored Credential Guide +
      • SCT Technical Implementation Guide +
      • SCT Decision Tree +
      • Account Updater Service +
      • Account Updater migration to UK Ensurebill +
    • Compliance & Security -
      • Ecommerce fraud management +
      • Know the risks +
      • Online Card Not Present Best Practices +
      • Fraud Hints and Tips Guide +
      • Reducing Risk of Fraud Guide +
      • Guide to Patching +
      • Know the risks +
      • What To Do If You're Compromised +
      • PCI Frequently asked questions +
      • SCA -
        • One-off payments without saving card details
        • One-click payments without saving card details
        • Card saved for recurring, automatic payments
        • Payment over the phone (MO/TO)
        • What Do I Need to Do to Be SCA Compliant?
        • PSD2 and SCA Technical Information Guide
        • Strong Customer Authentication Decision Tree
        • How to use the Strong Customer Authentication (SCA) Authentication Outage Indicator
    • Stationery ordering +
    • How do I understand my invoice? +
  • Products +
    • Point of Sale Help +
      • Quick Start Guide Miura M10 Device +
      • Quickstart Guide Miura M20 Device +
    • Ecommerce Help +
      • Transaction management +
      • Customer management +
      • Fraud Management +
      • Resetting your password +
      • Virtual Terminal +
      • Ecommerce portal navigation +
      • User Management +
      • Transaction reporting +
      • Ecommerce FAQs +
    • Bank Payment +
      • Bank Payment FAQs +
      • Bank Payment sales sheet +
  1. Home
  2. Account
  3. Compliance & Security
  4. SCA
  5. How to use the Strong Customer Authentication (SCA) Authentication Outage Indicator
Last updated 01/25/2023
2 Min Read Time

How to use the Strong Customer Authentication (SCA) Authentication Outage Indicator

Guidance for PSPs and ecommerce merchants.

What is the SCA Authentication Outage Indicator?
The SCA Authentication Outage Indicator, (sometimes referred to as the Resilience Indicator or Flag) is a value in the authorisation message to the card issuer that indicates that the merchant or their Payment Service Provider (PSP) had technical difficulties and wasn’t able to perform a 3DS authentication to authenticate the cardholder as required by PSD2 regulations. The UK and French national regulators have given card issuers permission to take it into account when they decide whether to approve or decline a non-secure authorisation request.

Who would use it?
Ecommerce merchants and/or their PSP can set the flag if they couldn’t authenticate the card holder due to technical difficulties. The flag isn't used by merchants with terminals in a card-present situation.

Is it a new SCA Exemption?
No, the SCA Authentication Outage Indicator isn’t an exemption to be requested. It should only be used during a persistent outage (not in the case of a temporary random network ‘glitch’) to ensure that electronic commerce is not disrupted and to indicate that a merchant that normally would be doing EMV 3DS has not in this specific instance been able to authenticate the cardholder.

When can it be used?
The SCA Authentication Outage Indicator can only be used in ‘extraordinary circumstances’ and should be seen as a last resort. It’s to be used when no response from the issuer authentication system has been or can be received. It’s recommended that an actual applicable exemption be tried first if possible (e.g. Low Value). The specific parameters around usage are explained below in this document.

Can it be used for all cards?
No, only the UK (and Gibraltar) and French regulators allow their national card issuers to take the flag into account. Nothing would prevent a UK based merchant\PSP submitting the flag to a German card issuer for example, but the issuer is required to decline the transaction.

Will the authorisation be approved?
It’s important to recognise that issuers aren’t required to take account of the flag and approve the transaction. At this stage it’s too early to say what will happen and how issuers will react. It’s more likely that if the transaction is for a relatively small amount and the issuer can see that the card holder is a regular shopper at the merchant using the flag then there’s a greater chance for it to be approved.

Who will be liable for fraud if the transaction is approved?
Liability remains with the merchant, not the issuer because the transaction is non-secure without the authentication having taken place.

Are there any restrictions on what kind of transactions can use the SCA Authentication Outage Indicator?
Yes, even if an authorisation request using the SCA Authentication Outage Indicator is approved by the issuer, it MUST NOT be used to set up a recurring transaction or to store card details for the card on file. Merchant Initiated Transactions cannot be chained back to such an authorisation. Merchant Initiated Transactions can only follow a fully authenticated Customer Initiated Ecommerce Transaction. The SCA Authentication Outage Indicator may not be used on Account Verification messages either.

Is the flag used when the card issuer has a problem?
No, if the issuer is having problems then the card scheme ‘stands in’ and authenticates on their behalf. The SCA Authentication Outage Indicator is to be used specifically when the merchant or their PSP has technical issues that prevents them from connecting to the authentication network.

The most common scenario for technical problems with authentication is when the issuer’s Access Control Server (ACS) is unavailable for some reason.
It’s for this reason that the card schemes have built their ‘stand in’ systems to ensure that merchants can continue to function in line with PSD2 regulation. Both UK Finance and the card schemes are explicit in stating that the Authentication Outage Indicator is not to be used in this circumstance.

What are the specific parameters around use?
UK Finance suggests two likely scenarios that may occur when it is appropriate to use the resilience indicator:

  • A PSP\gateway failure that prevents the merchant being able to perform 3DS
  • A major outage takes place within one of the card schemes’ infrastructure when both the scheme’s directory server services are unavailable and their ‘3DS stand-in’ service is unavailable

When a merchant or their PSP encounters one of the two problems above, then the SCA Authentication Outage Indicator may be used in the following circumstances:

  • A persistent outage of the authentication system that has lasted longer than five minutes
  • In those five minutes at least five authentication requests must have been attempted
  • All authentication requests have failed in those five minutes

As soon as the outage is over merchants/PSPs must resume use of 3DS and stop using the SCA Authentication Outage Indicator.

How often can I use the SCA Authentication Outage Indicator?
The card schemes and Global Payments will be monitoring how often a merchant is using the SCA Authentication Outage Indicator. The card schemes may impose penalties for excessive use. Merchant use of the flag must remain under the following (card scheme defined) thresholds: Volume

  • 1.2% of their total transactions in the previous calendar quarter or
  • 0.9% of their total transactions in the previous 12 months Value
  • Total value of a merchant’s transactions with the SCA Authentication Outage Indicator isn’t greater than 1.0% of total value of their transactions in the previous calendar quarter or
  • 0.8% of total value of their transactions in the previous twelve months

What should a merchant do if they wish to use the SCA Authentication Outage Indicator?
Merchants should discuss the usage of the flag with their PSP to understand how it can be applied and by which party.

What should a PSP do to be prepared to use the SCA Authentication Outage Indicator?
The Global Payments Authorisation and Settlement Technical Specification v2.2 and accompanying release notes provide the information required to use the indicator. They will be published in mid-October 2021.

Does Global Payments put any restriction on which merchants can use the SCA Authentication Outage Indicator?
Global Payments will allow any merchant that’s enabled and registered with us to use EMV 3DS, to use the authentication outage indicator. However, Global Payments will monitor usage and draws the attention of all merchants to the question above around frequency of use. The indicator is for ‘extraordinary circumstances’ only and overuse may result in the card schemes imposing fines.

Where can I get more information?
Speak to your PSP, alternatively UK Finance has provided guidance which can be found here
You can also call us on 0345 702 3344*

*Lines are open from 9am to 6pm, Monday to Friday, except public holidays. If you have a speech or hearing impairment, you can call us using the Relay Service by dialling 18001 followed by the number you wish to dial. Calls may be recorded. To help us continually improve on our service and in the interests of security, we may monitor and/or record your telephone calls with us. Any recordings remain our sole property.

 

  • Account
  • Products
  • Customer Docs & Pricing
  • Compliance & Security
  • Industry news
  • Trending articles
  • Notices and Policies
  • Sitemap

Already a customer?

Log in

Connect

  • LinkedIn
  • Twitter
  • Facebook
  • YouTube
{D6036E8F-C9A1-420D-AEC3-5680EC9FBE35}
 

Global Payments is a trading name of GPUK LLP. GPUK LLP is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (504290) for the provision of payment services and under the Consumer Credit Act (714439) for the undertaking of terminal rental agreements. GPUK LLP is a limited liability partnership registered in England with company number OC337146. Registered Office: Granite House, Granite Way, Syston, Leicester, LE7 1PL. The members are Global Payments U.K. Limited and Global Payments U.K. 2 Limited. Service of any documents relating to the business will be effective if served at the Registered Office.

Global Payments is also a trading name of Pay and Shop Limited. Pay and Shop Limited is a limited company registered in Ireland with company number 324929. Registered Office: The Observatory, 7-11 Sir John Rogerson's Quay, Dublin 2, Ireland. Service of any documents relating to the business will be effective if served at the Registered Office.

© 2023 GPUK LLP. All rights reserved. Privacy Statement | Terms of Use  | Ethics Reporting Hotline | Gender Pay Report  | Anti Slavery Statement