What is Strong Customer Authentication?
SCA or “Strong Customer Authentication” is a major piece of e-commerce regulation that is being introduced across Europe on September 14 2019. From this date, every time a consumer buys something online that costs over €30, simply plugging their details once will no longer be enough. Instead, they’ll need to additionally confirm their identity by something they know (a PIN or password), something they have (such as a smartphone), or something they are (biometric facial features or a fingerprint). This is known as two-factor authentication and has been around in various forms for a while – think about those situations where putting your username and password isn’t enough, for example when you’re sent a six-digit code to input via SMS.
In real terms, however, this means that from September more than 300 million ordinary European consumers will regularly have to change the way they buy online, introducing an extra layer of friction at the checkout for everyday transactions.
SCA will mean all European shoppers will have to double authenticate all online payments over €30 – having profound implications for how businesses handle online transactions. It’s set to be big as GDPR, but no one knows about it.
Why is the EU introducing SCA?
The new rules are designed to protect European consumers from billions of euros in attempted online fraud. As European internet commerce is expected to grow to $1 trillion by 2022, online fraud grows with it: the European Central Bank now estimates around €1.3 billion in online fraud on European cards each year.
At Stripe, we see and prevent more than €3.5 billion of fraud attempts globally per year. Along with the six million Europeans and counting who now make their living in internet commerce, we welcome any attempt to thwart bad actors. Ultimately, fraud undermines trust, which is the entire basis for internet commerce.
What is PSD2?
PSD2 follows on from the original Payment Services Directive (PSD), which was adopted by the EU in 2007.
This legislation established an EU single market for payments to encourage the creation of safer, more innovative payment services. PSD’s authors also aimed to make cross-border payments in the EU as easy, efficient and secure as payments within a member state.
PSD2 builds on the previous legislation in three areas:
- Increased consumer rights in areas including complaints handling, new rules on surcharging and currency conversion.
- Enhanced security through SCA (Strong Customer Authentication) criteria.
- Enabling third-parties to access account information, providing a framework for new payment and account services.
How will SCA affect my e-commerce site?
If not prepared for properly, SCA could come at a heavy cost for businesses big and small. After September 14, non-compliant transactions will simply be declined by the cardholder’s bank. This, coupled with the additional friction caused by consumers’ having to doubly authenticate transactions, means there could be a significant negative impact on conversion.
When similar regulation was enforced in India in 2014, some businesses reported an overnight conversion drop of over 25pc. If the same were to occur in Europe’s €600 billion online economy, the continent would be facing a potential economic loss of €150bn.
However, where there is risk, there is always opportunity – particularly for growing and smaller businesses which are looking for ways to stay ahead. In the context of tighter rules, seamless checkout experiences and intelligent SCA exemption management will become a deep competitive advantage for internet businesses able to execute the change well.
What can I do to make my e-commerce SCA compliant?
It’s best to get prepared early as SCA is complex. The overarching EU regulation will be interpreted differently by national regulators, card networks and issuing banks, and there are important payment exemptions for when SCA is not required. For most businesses, this is bewildering, but there are some overarching principles to apply when getting ready for SCA.
- First, calibrate your checkout experience to minimise friction with the most appropriate payment method as there are various ways businesses can let their customers authenticate themselves in an SCA-compliant manner. Different payment methods will be more suitable for certain business models, and customer preferences will vary depending on geography and their relationship to the business.
- Second, optimise for when SCA is needed and when it isn’t. SCA won’t apply to every online transaction. There are exemptions for recurring payments and purchases under €30, for example, so give thought to the situations when you do not need to send a customer a stepped-up authentication request. What is more, customers can whitelist businesses with their issuing bank, so they don’t need to authenticate themselves for any future purchases. This is particularly important for businesses who have repeat customers. Unfortunately, granting exemptions ultimately depends on the customer’s bank. For a business operating in multiple European markets, managing exemptions themselves would mean working directly with local banks to understand exactly how to trigger them — and there are more than 6,000 banks in Europe.
Ultimately, businesses big and small must decide whether they want to become SCA experts themselves or find a strategic partner that will help them abstract away the complexity of the challenges that come along with the new regulation. A few years ago, payment was considered far too strategic to be delegated to a third party. Today, it is quite the opposite. Making the wrong choice in your payment strategy means exposing yourself to a significant loss of turnover and, above all, slowing down of business growth.
Helping you to navigate this complexity and mitigate these risks is, frankly, the reason we exist at Stripe. This is why we have built a suite of products that allows merchants, large and small, to address SCA – and all the complexities of payment – without worrying about future developments in the sector.
Iain McDougall is UK general manager of Stripe
Getting started with card payments