How to use the Strong Customer Authentication (SCA) Authentication Outage Indicator
Guidance for PSPs and ecommerce merchants.
What is the SCA Authentication Outage Indicator?
The SCA Authentication Outage Indicator, (sometimes referred to as the Resilience Indicator or Flag) is a value in the authorisation message to the card issuer that indicates that the merchant or their Payment Service Provider (PSP) had technical difficulties and wasn’t able to perform a 3DS authentication to authenticate the cardholder as required by PSD2 regulations. The UK and French national regulators have given card issuers permission to take it into account when they decide whether to approve or decline a non-secure authorisation request.
Who would use it?
Ecommerce merchants and/or their PSP can set the flag if they couldn’t authenticate the card holder due to technical difficulties. The flag isn't used by merchants with terminals in a card-present situation.
Is it a new SCA Exemption?
No, the SCA Authentication Outage Indicator isn’t an exemption to be requested. It should only be used during a persistent outage (not in the case of a temporary random network ‘glitch’) to ensure that electronic commerce is not disrupted and to indicate that a merchant that normally would be doing EMV 3DS has not in this specific instance been able to authenticate the cardholder.
When can it be used?
The SCA Authentication Outage Indicator can only be used in ‘extraordinary circumstances’ and should be seen as a last resort. It’s to be used when no response from the issuer authentication system has been or can be received. It’s recommended that an actual applicable exemption be tried first if possible (e.g. Low Value). The specific parameters around usage are explained below in this document.
Can it be used for all cards?
No, only the UK (and Gibraltar) and French regulators allow their national card issuers to take the flag into account. Nothing would prevent a UK based merchant\PSP submitting the flag to a German card issuer for example, but the issuer is required to decline the transaction.
Will the authorisation be approved?
It’s important to recognise that issuers aren’t required to take account of the flag and approve the transaction. At this stage it’s too early to say what will happen and how issuers will react. It’s more likely that if the transaction is for a relatively small amount and the issuer can see that the card holder is a regular shopper at the merchant using the flag then there’s a greater chance for it to be approved.
Who will be liable for fraud if the transaction is approved?
Liability remains with the merchant, not the issuer because the transaction is non-secure without the authentication having taken place.
Are there any restrictions on what kind of transactions can use the SCA Authentication Outage Indicator?
Yes, even if an authorisation request using the SCA Authentication Outage Indicator is approved by the issuer, it MUST NOT be used to set up a recurring transaction or to store card details for the card on file. Merchant Initiated Transactions cannot be chained back to such an authorisation. Merchant Initiated Transactions can only follow a fully authenticated Customer Initiated Ecommerce Transaction. The SCA Authentication Outage Indicator may not be used on Account Verification messages either.
Is the flag used when the card issuer has a problem?
No, if the issuer is having problems then the card scheme ‘stands in’ and authenticates on their behalf. The SCA Authentication Outage Indicator is to be used specifically when the merchant or their PSP has technical issues that prevents them from connecting to the authentication network.
The most common scenario for technical problems with authentication is when the issuer’s Access Control Server (ACS) is unavailable for some reason.
It’s for this reason that the card schemes have built their ‘stand in’ systems to ensure that merchants can continue to function in line with PSD2 regulation. Both UK Finance and the card schemes are explicit in stating that the Authentication Outage Indicator is not to be used in this circumstance.
What are the specific parameters around use?
UK Finance suggests two likely scenarios that may occur when it is appropriate to use the resilience indicator:
- A PSP\gateway failure that prevents the merchant being able to perform 3DS
- A major outage takes place within one of the card schemes’ infrastructure when both the scheme’s directory server services are unavailable and their ‘3DS stand-in’ service is unavailable
When a merchant or their PSP encounters one of the two problems above, then the SCA Authentication Outage Indicator may be used in the following circumstances:
- A persistent outage of the authentication system that has lasted longer than five minutes
- In those five minutes at least five authentication requests must have been attempted
- All authentication requests have failed in those five minutes
As soon as the outage is over merchants/PSPs must resume use of 3DS and stop using the SCA Authentication Outage Indicator.
How often can I use the SCA Authentication Outage Indicator?
The card schemes and Global Payments will be monitoring how often a merchant is using the SCA Authentication Outage Indicator. The card schemes may impose penalties for excessive use. Merchant use of the flag must remain under the following (card scheme defined) thresholds: Volume
- 1.2% of their total transactions in the previous calendar quarter or
- 0.9% of their total transactions in the previous 12 months Value
- Total value of a merchant’s transactions with the SCA Authentication Outage Indicator isn’t greater than 1.0% of total value of their transactions in the previous calendar quarter or
- 0.8% of total value of their transactions in the previous twelve months
What should a merchant do if they wish to use the SCA Authentication Outage Indicator?
Merchants should discuss the usage of the flag with their PSP to understand how it can be applied and by which party.
What should a PSP do to be prepared to use the SCA Authentication Outage Indicator?
The Global Payments Authorisation and Settlement Technical Specification v2.2 and accompanying release notes provide the information required to use the indicator. They will be published in mid-October 2021.
Does Global Payments put any restriction on which merchants can use the SCA Authentication Outage Indicator?
Global Payments will allow any merchant that’s enabled and registered with us to use EMV 3DS, to use the authentication outage indicator. However, Global Payments will monitor usage and draws the attention of all merchants to the question above around frequency of use. The indicator is for ‘extraordinary circumstances’ only and overuse may result in the card schemes imposing fines.
*Lines are open from 9am to 6pm, Monday to Friday, except public holidays. If you have a speech or hearing impairment, you can call us using the Relay Service by dialling 18001 followed by the number you wish to dial. Calls may be recorded. To help us continually improve on our service and in the interests of security, we may monitor and/or record your telephone calls with us. Any recordings remain our sole property.