On September 14, 2019, Strong Customer Authentication (SCA) goes into effect. SCA is a part of the PSD2 regulation (Second Payment Services Directive), and it begins mandatory two-step authentication for many online card payments. New rules will apply to payments in the European Economic Area (EEA).
Changes in Online Payments
In September 2019, new requirements regarding authentication of online payments will be introduced as part of the Second Payment Services Directive (PSD2). This regulation requires SCA – Strong Customer Authentication, and it aims to make online payments more secure and reduce fraud.
These changes will significantly affect e-commerce in Europe. Businesses that don’t prepare will see the drop in conversion rates due to their clients’ problems with payments.
What Is SCA (Strong Customer Authentication)?
Card payments traditionally consist of two steps: authorization (when a customer’s bank approves a payment) and capture (when the card is charged). SCA introduces an additional, mandatory step to that process: authentication. To perform a payment, a customer needs to authenticate it, usually by responding to a prompt sent by his bank and providing additional information. It may be something he knows (like a password, a PIN), something he uses (like his phone) or something he is (like a fingerprint). SCA requires using at least two of this information to authenticate a payment.
For example, Google Pay and Apple Pay already support that kind of payment flows – an additional layer of authentication is built in their payment systems.
How Will SCA Impact Your Business?
The way SCA will impact your business depends on how you account for the purchases. If your customers actively participate in the checkout flow, the only change is that they will need to authenticate payment on their devices. When you charge a customer after the checkout, when he doesn’t actively participate in the payment process, SCA’s impact will be significant. It refers to delayed payments or, for example, subscriptions. If your business stores cards to charge them later, your customers may be forced to be back online to authenticate the purchase. Businesses that are impacted by SCA need to build an extra layer of authentication for card payments.
Exemptions to Strong Customer Authentication: a Window For Businesses
A few types of low-risk payments can be exempted from SCA, and many businesses will be able to take advantage of that. Authentication is an extra step during checkout flow, and it adds friction to the process. Exemptions are a vast opportunity for businesses to reduce the number of authentications needed.
The essential exemptions for online businesses:
1. Low-risk transactions: a payment provider can perform a real-time risk analysis and decide if the authentication is needed. It may not be required if the fraud rate won’t exceed the determined level.
2. Payments below €30: these transactions will be considered the low value, and in most cases, don’t need authentication. It will be required after 5 low-value payments, and any authenticated payment will reset the counter.
3. Fixed amount subscriptions: when the customer makes a series of payments of the same amount to the same business, authentication is needed only for the first one.
4. Merchant-initiated transactions: these are the payments made with saved credit cards when a customer is not active in your checkout flow. Payment marked as the merchant-initiated transaction doesn’t need authentication although you need to authenticate the card when it’s being saved by the user or during the first payment. You also need an agreement from your customer to be able to charge his card later. This exemption can be used by businesses that use delayed payments or in case of subscriptions with variable amounts. This exemption is risky, and you can’t depend on any of them entirely, because the final decision about authentication needed belongs to the bank.
Exemptions don’t apply automatically – you have to build a system that will request them from a bank or use the services of payment providers that support this function. For example, Stripe will be able to request exemptions while processing the payment and will let to authenticate the card when it’s being saved and mark subsequent payments in case of merchant-initiated transactions.
Banks, after receiving the request, will assess the transaction’s risk and decide if the authentication is still necessary. Exemptions make it all a lot easier, but if SCA severely impacts your business, you can’t depend on the exemptions only. The final decision about the need for authentication is always up to your customer’s bank and your checkout flow needs to be prepared in case an exception is rejected – you need to build an extra layer into it.
Get Ready and Minimize Customer Loss
You don’t want to lose customers during checkout due to problems with payment or friction connected to it. Prepare your business well for PSD2 and SCA by using the services of the best payment providers that have already created products and solutions that automatically take advantage of SCA exemptions. You can also built-in additional layers into your checkout flow.
At Appstronauts, we create web and mobile apps that are already tailored to PSD2 requirements. If you want your app to have a frictionless checkout flow or need any help with adjusting your product to new requirements – drop us a message!