Europe is bracing itself for a big shake-up in how we pay for things online. Similar to how GDPR hugely impacted how millions of organisations handle personal data when it was enforced last year, Strong Customer Authentication (or SCA) will have profound implications for how businesses handle online transactions and how we pay for things in our everyday lives.
SCA will require an extra layer of authentication for online payments. Where a card number and address once sufficed, customers will now be required to include at least two of the following three factors to do anything as simple as ordering a taxi or pay for a music streaming service:
- Something they know (like a password or PIN),
- Something they own (like a token or smartphone), and
- Something they are (like a fingerprint or biometric facial features).
Why is this happening?
The new rules are designed to protect European consumers from billions of euros in attempted online fraud. As European internet commerce is expected to grow to $1 trillion by 2022, online fraud grows with it. The European Central Bank now estimates around €1.3 billion in online fraud on European cards each year.
But SCA could come at a heavy cost for European online businesses. Without careful preparation, failed transactions and additional friction will have a significant negative impact on conversion. When similar regulation was enforced in India in 2014, some businesses reported an overnight conversion drop of over 25%. If the same were to happen in Europe’s €600 billion online economy today, we would be facing a potential economic loss of €150bn.
What should internet businesses do to prepare?
Get prepared early! SCA is certainly no less complex than GDPR. The overarching EU regulation is interpreted differently by national regulators, card networks and issuing banks have their own set of rules and policies, and there are important payment exemptions for when SCA is not required. For most businesses, this is bewildering, but there are some overarching principles to apply when getting ready for SCA.
Firstly, calibrate your checkout experience to minimise friction with the most appropriate payment method. From biometric security in mobile wallets to regional non-card payment methods to 3D Secure 2, there are various ways businesses can let their customers authenticate themselves in an SCA-compliant manner. Internet businesses need to build maximum optionality into their checkout experience, so the most relevant SCA-compliant payment method is dynamically surfaced depending on the context.
Second, optimise for when SCA is needed and when it isn’t. SCA won’t apply to every online transaction. There are exemptions for recurring payments and purchases under €30, for example, so give thought to the situations when you do not need to send a customer a stepped-up authentication request.
What is more, customers can whitelist businesses with their issuing bank, so they don’t need to authenticate themselves for any future purchases. This is particularly important for businesses who have repeat customers. Unfortunately, granting exemptions ultimately depends on the customer’s bank. For a business operating in multiple European markets, managing exemptions themselves would mean working directly with local banks to understand exactly how to trigger them — and there are more than 6,000 banks in Europe.
Businesses will have to decide whether they want to become SCA experts themselves or find a strategic partner that will help them abstract away the complexity of the challenges that come along with the new regulation.
How could this shape the internet commerce in Europe?
But where there is a risk, there is always an opportunity. Seamless checkout experiences and intelligent SCA exemption management will become a deep competitive advantage for internet businesses able to execute well. In one way, this may even benefit tech-forward businesses which live and die by optimising user experience (versus legacy businesses that are still making the transition from the offline world).
This applies especially to mobile commerce, where SCA may contribute to more adoption of biometric security in wallets like Apple Pay and Google Pay. Additionally, SCA may spur a wave of innovation in biometric security tools and mobile payment technology here in Europe, as entrepreneurs spot gaps in the market for more secure, more user-friendly authentication experiences.
Let’s remain optimistic. It’s not the first time Europe pioneers new standards in payments that reconcile security and convenience. Consider how it rolled out EMV standards over a decade ago to make a chip and pin more or less ubiquitous on the continent, while the US is still playing catch-up to this day even. History may repeat itself with SCA. In any case, wherever Europe goes, the world and how it pays will likely follow. Australia and other markets are expected to introduce similar legislation soon.
Ultimately, making the internet economy more secure is important for its long-term growth prospects. As consumer trust increases, so does their amount of spending online. In that context, while SCA poses a significant challenge for European e-commerce in the short-term, it could turn out to be a significant milestone on the way to increase online commerce in Europe, fulfilling the Digital Single Market, and raising the GDP of the internet.
By Guillaume Princen, Head of Continental Europe, Stripe
Stock photo from Jirapong Manustrong/Shutterstock
01
From telecom veteran to Dutch Startup Visa success: The Jignesh Dave story