Microsoft SCA Testing Results

Microsoft SCA Testing Results | Fintech Finance

by Dean Jordaan, Director – eCommerce and Payments at Microsoft

Since September 2019 Microsoft has been testing Strong Customer Authentication (SCA) in Europe. In a previous article I shared details on what we measure – our KPIs. Here I share our testing results in the form of a scorecard, with summary observations. My hope is other merchants and industry stakeholders will share similar data based on their own testing, and so strengthen our ability to advocate for sensible policy decisions, starting with a Payment Services Directive (PSD2) enforcement delay.

Testing methodology

Since September 2019 Microsoft has continuously submitted a small, random percentage of our customer initiated transactions for authentication over EMV 3D-Secure (3DS). Microsoft has multiple ecommerce storefronts, some are web-based (browser) and some are Xbox console-based (app). We support EMV 3DS v2.1 only, and do not attempt authentication using 3DS v1. We do not apply any acquirer exemption flagging (e.g. low-value, transaction risk analysis) to either authentication or authorization. The testing results are for Visa and Mastercard cards only.

Our scorecard measures Microsoft results and therefore reflects Microsoft’s business profile and customer base.



  1. Issuers have yet to enable SCA in some markets, for browser, app or both – ESP, EST.
  2. Challenge success rates are low to very low. This means merchants lose sales and customers cannot get the goods and services they want.
  3. Customers abandon checkout at high rates when challenged. This suggests customers are confused, don’t like the authentication method, and/or encounter poor implementations of SCA.
  4. Even a successful challenge takes a long time to complete, especially for app. This suggests that significant friction is added to the customer purchase experience.
  5. Issuers rely heavily on Visa/Mastercard for authentication stand-in. This suggests that issuers are not ready with their own implementations of EMV 3DS.
  6. Authorization approval rates worsen with authentication stand-in. This means that merchants are penalized for lack of issuer readiness.
  7. Authorization approval rates improve when the challenge succeeds. A bright spot, this suggests the payments ecosystem can deliver on the promise of SCA.

SCA readiness is more than just EMV 3DS enablement, it is about performance as well. Based on current testing results, the ecosystem has some ways to go.