While we try to leave Europe and the pesky law makers in Brussels, we will soon have to adopt the EC’s Second Payment Directive or PSD2.
Come 14 September this year Strong Customer Authentication or (SCA) will be forced on us and all credit card transactions in the EC will have to abide by these new regulations.
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments once SCA goes into effect, merchants will need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.
Banks will need to start declining payments that require SCA and don’t meet these criteria. Although we anticipate a gradual enforcement of SCA across Europe as different regulators are adopting different implementation timescales. However, we expect the first banks to start declining payments without two-factor authentication on 14 September.
On 13 August 2019, the UK regulator announced an 18 month phase in period to give UK banks and businesses more time to prepare for these new requirements. As a result, we do not expect banks to fully require SCA for payments from UK cards until March 2021.
(If you would like to read the original SCA requirements in any European language, they are set out in the Regulatory Technical Standards or RTS.)
When is Strong Customer Authentication required?
Strong Customer Authentication will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA. Recurring direct debits on the other hand are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.
For online card payments, these requirements will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). (We expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.)
How to authenticate a payment
Currently, the most common way of authenticating an online card payment relies on 3D Secure—an authentication standard supported by the vast majority of European cards. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app).
3D Secure 2—the new version of the authentication protocol rolling out in 2019—will be the main method for authenticating online card payments and meeting the new SCA requirements. This new version introduces a better user experience that will help minimise some of the friction that authentication adds into the checkout flow.
Other card-based payment methods such as Apple Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for businesses to offer a frictionless checkout experience while meeting the new requirements.
Exemptions to Strong Customer Authentication
Under this new regulation, specific types of low-risk payments may be exempted from Strong Customer Authentication. Payment providers will be able to request these exemptions when processing the payment. The cardholder’s bank will then receive the request, assess the risk level of the transaction, and ultimately decide whether to approve the exemption or whether authentication is still necessary.
The precise details of what clarifies as Low Risk Payments vary by bank, merchant and transaction.
Impact on E-Commerce Sites
The onset of SCA has significant implications for merchants in the UK that sell in digital channels in addition to many of those selling cross-border into Europe.
Among the most pertinent is the impact on the checkout experience, which stands to see added friction through the introduction of additional steps to complete a purchase. While cart abandonment and decreases in conversion rates are legitimate concerns, on the flipside is the prospect of improved authorization rates and a reduction in fraud losses should SCA play out as intended.
Importantly, SCA also creates an opportunity for a competitive advantage. Merchants best able to integrate SCA into their checkout flow and effectively apply exemptions will separate themselves from the pack by minimising customer impact.
To achieve this, it will be critical to align with payment providers that have a deep commitment to the customer experience and can deliver a comprehensive and streamlined response to SCA.
If you want to learn more or need assistance with your e-commerce store please contact us for chat about how we can help plan for SCA.