Strong Customer Authentication (SCA) Will Seriously Affect Online Payments in Europe

On September 14, 2019, Strong Customer Authentication (SCA) goes into effect. SCA is a part of the PSD2 regulation (Second Payment Services Directive). It begins mandatory two-step authentication for many online card payments. New rules will apply to payments in the European Economic Area (EEA).

Changes in Online Payments

In September 2019, new requirements regarding authentication of online payments go live as part of the Second Payment Services Directive (PSD2). This regulation requires SCA – Strong Customer Authentication. The goal is to make online payments more secure and reduce fraud.

These changes will significantly affect e-commerce in Europe. Businesses that don’t prepare will see the drop in conversion rates due to their clients’ problems with payments.

Card payments traditionally consist of two steps: authorization (when a customer’s bank approves a payment) and capture (when they charge a card). SCA introduces an additional, mandatory step to that process: authentication. To perform a payment, the customer needs to authenticate it. Usually, he does it by responding to a prompt his bank sends him and providing additional information. It may be something he knows (like a password, a PIN), something he uses (like his phone) or something he is (like a fingerprint). SCA requires using at least two of this information to authenticate a payment. 

For example, Google Pay and Apple Pay already support that kind of payment flows. They built an additional layer of authentication into their payment systems.

The way SCA will impact your business depends on how you account for the purchases. If your customers actively participate in the checkout flow, the only change is that they will need to authenticate payment on their devices. When you charge a customer after the checkout, when he doesn’t actively participate in the payment process, SCA’s impact will be significant. It refers to delayed payments or, for example, subscriptions. If your business stores cards to charge them later, your customers may need to be back online to authenticate the purchase. Businesses that are impacted by SCA need to build an extra layer of authentication for card payments.

A few types of low-risk payments can be exempted from SCA, and many businesses will be able to take advantage of that. Authentication is an extra step during checkout flow, and it adds friction to the process. Exemptions are a vast opportunity for businesses to reduce the number of authentications needed.

The essential exemptions for online businesses:

1. Low-risk transactions: a payment provider can perform a real-time risk analysis and decide if the authentication is needed. If the fraud rate won’t exceed the determined level they won’t require it.
2. Payments below €30: Banks consider these transactions the low value, and in most cases, they don’t need authentication. It will be required after 5 low-value payments, and any authenticated payment will reset the counter.
3. Fixed amount subscriptions: when the customer makes a series of payments of the same amount to the same business, authentication is obligatory only for the first one.
4. Merchant-initiated transactions: these are the payments customers make with saved credit cards when they are not active in your checkout flow. Payment marked as the merchant-initiated transaction doesn’t need authentication. Although you need to authenticate the card when it’s being saved by the user or during the first payment. You also need an agreement from your customer to be able to charge his card later. Businesses that use delayed payments can benefit from this exemption. Moreover, it will be useful in case of subscriptions with variable amounts. However, this exemption is risky, and you can’t depend on it entirely. Why? Because the final decision about authentication needed belongs to the bank.

Few More Words About SCA Exemptions

Exemptions don’t apply automatically. You have to build a system that will request them from a bank or use the services of payment providers that support this function. For example, Stripe will be able to request exemptions while processing the payment. Moreover, it will let to authenticate the card when a user adds it and mark subsequent payments in case of merchant-initiated transactions.

Banks, after receiving the request, will assess the transaction’s risk and decide if the authentication is still necessary. Exemptions make it all a lot easier, but if SCA severely impacts your business, you can’t depend on the exemptions only. The final decision about the need for authentication is always up to your customer’s bank. Your checkout flow needs to be prepared in case an exception is rejected – you need to build an extra layer into it. 

You don’t want to lose customers during checkout due to problems with payment or friction connected to it. Prepare your business well for PSD2 and SCA. Use the services of the best payment providers that have already created products and solutions that automatically take advantage of SCA exemptions. You can also built-in additional layers into your checkout flow. 

At Appstronauts, we create web and mobile apps that are already tailored to PSD2 requirements. If you want your app to have a frictionless checkout flow or need any help with adjusting your product to new requirements – drop us a message!