The impact of Strong Customer Authentication on your e-commerce
By the coming September, a new regulation about Strong Customer Authentication (SCA) for online payments is about to be implemented in the European Economic Area (EEA), which will include the UK. This is what’s being known as the second Payment Services Directive (PSD2).
“The Financial Conduct Authority (FCA) in the UK has confirmed that the Secure Customer Authentication (SCA) rules will be delayed by 18 months. It has been reported that many online ecommerce businesses are simply not ready and is essentially avoiding a “payments cliff-edge” where 25-30% of ecommerce transactions today, would usually have failed.
This new, 18-month phase in for the SCA rules will give retailers and banks the time to put the technical fixes in place, and would minimise any further disruptions.”
To break it down to the absolute basics, SCA will go into effect and it will be an additional step that needs to take place before the authorisation of payment. This step will be authentication. It’s inconvenient because it means that companies need to abide by these regulations quickly. It’s good because it helps to protect the customers by preventing fraud.
Table of Contents
What is Strong Customer Authentication (SCA)?
“SCA is a new European Union regulatory requirement, targeting to reduce fraud and make online payments more secure. In order to complete payments after the SCA introduction date, businesses will need to have additional authentication measures introduced into the checkout flow, whereby you’d need to require at least two forms of authentication”, according to a survey by Stripe.
From 14 September 2019, banks will be forced to decline payments that require SCA and don’t meet those criteria.
What is the Second Payment Services Directive (PSD2)?
The PSD2 has been put in place to improve consumer rights. Bear in mind, that the first version of this new EU law is already applicable in the EEA, but some of the more disruptive regulations will be coming up in September with SCA, according to Barclays.
“PSD2 follows on from the original Payment Services Directive (PSD), which was adopted by the EU in 2007.
This legislation established an EU single market for payments to encourage the creation of safer, more innovative payment services. PSD’s authors also aimed to make cross-border payments in the EU as easy, efficient and secure as payments within a member state.
PSD2 builds on the previous legislation in three areas:
- Increased consumer rights in areas including complaints handling, new rules on surcharging and currency conversion.
- Enhanced security through SCA criteria.
- Enablement of third-party access to account information, providing a framework for new payment and account services.”
- PSD2 aims to improve consumer rights by providing transparency around currency and exchange rates at the point of sale.
- It allows payment providers to resolve complaints quickly and easily.
- It allows card issuers to make funds available to their customers as soon as the final amount is known, and finally, prohibit the number of surcharges on consumer card transactions.
- In addition to these things, it will also reduce the amount of fraud that consumers will experience, thereby enhancing security measures.
How Payments Are Changing
The new mandatory step will take place where the customer will respond to a prompt from their bank and provide additional information. This could be a password, something you’re familiar with, code on your phone or even a fingerprint.
Three Forms of ID Required:
- Knowledge: Something unique that only the customer knows like a PIN or password.
- Possession: Something only the customer has such as a phone or a card.
- Inherence: Something unique to the customer such as a fingerprint.
In general, 3D Secure is the most common way to do payments, a method you may have recognised before, but not commonly used. Perhaps one of the most important parts about SCA is that the customer needs to be on-session to authenticate. That means that they need to be using the website or app when making the payment. For a business that charges customers right away, it’s a simple step. But for businesses that charge the customer after they’ve left, it’s a bit of a tricky issue.
When looking at the world of e-commerce, customers typically get charged while on-session without saving any card information. Something like 3D Secure can be added to your business without disrupting the flow, as it will be able to abide by the new SCA standards.
Consequently, after an order is placed when SCA comes into full force, it will follow these rules:
- Authentication: The amount paid for the order is authenticated by 3D Secure.
- Authorise: The payment is then authorised by the bank.
- Capture: The money is transferred.
- Order completed: The order is then shipped and completed.
Implications for E-Commerce
All of the security measures being put in place are there for the benefit of everyone in order to prevent fraud. But as is the case with most things, there will be some drawbacks to the e-commerce market.
- The checkout experience for customers will require an additional step.
- There will be an increase in cart abandonment and conversion rates.
- Improved authorisation rates.
- Reduction in fraud-related losses.
- Opportunities to gain a competitive advantage with smoother checkout flow.
When is it Required?SCA will come into play on 14 September 2019 and will be applicable to “customer initiated” online payments within Europe. This means that most card payments and bank transfers will require SCA, while direct debits, which are merchant-initiated, will not require such strong authentication. In-person card payments will not be impacted by the new regulation either.
What are the Exemptions?Certain transactions will be specified as “low-risk” and will, therefore, be exempt from SCA. The new regulation stipulates that payments below a certain amount may not need to have the authentication in place. Low-value transactions will be exempted, as will repeated subscriptions. For example, if you’re constantly making a monthly payment to Netflix, SCA will be required for the first payment, but subsequent charges may be exempted from SCA in the future. Trusted beneficiaries can be whitelisted by the customer to avoid having to authenticate in future, and merchant-initiated transactions and variable subscriptions, such as your water bill, may be exempt too. Ultimately, it’s up to the cardholder’s bank to decide whether or not to accept an exemption. So you may find that in the beginning, there could be a few potentially time-wasting authentications that come your way but ultimately, the end result will be that the consumer is far more protected.
How will SCA affect my e-commerce site?After September 14, non-compliant transactions will be declined by the cardholder’s bank. Because of the additional friction caused by consumers’ having to double authenticate transactions, SCA could have a significant negative impact on your conversion and checkout abandonment. Seamless checkout experiences and intelligent SCA exemption management will become a prior competitive advantage for online businesses.
Checklist to create smooth checkout experience:
- Update your checkout with the most appropriate payment method (according to SCA).
- Implement 3D authentication.
- Display an exit-intent pop-up at the checkout to inform abandoning customers about the authentication.
- Use a sidebar or banner to inform visitors and customers about the new checkout process.
- Ask your loyal customers to whitelist your business to their banks.
Digital commerce sales in Western Europe will grow at a 17% CAGR between 2018 and 2022, according to 451 Research. While this is obviously a positive and exciting prospect, it also presents threats as fraud across digital platforms is on the rise. Risk management procedures and robust customer authentication are now more necessary than ever. E-commerce managers can no longer overlook the subject since SCA will be the spearhead of the EU’s defence.
The information provided in this article is for informational purposes only. It should not be considered financial advice. Professionals should always receive specialized Legal advice before taking on any measures regarding SCA and PSD2.