For those who haven’t heard of it, Strong Customer Authentication (SCA) is a new form of two-factor authentication designed to add an extra layer of security when your customers make a payment online. Once enforced, it will require that most online transactions are verified by at least two factors (something you own, something you are, something you have).
But, a month on from its implementation date, consumers across Europe have continued to shop online as normal. The reason being that in June, the European Banking Authority (EBA) called for a general SCA enforcement delay, and it has just announced a pan-European deadline for SCA to be fully enforced from December 31st, 2020.
SCA: e-commerce crisis waiting to happen
A 14 month period where regulators are focusing on migration instead of enforcement is good news for the industry, but it is not a lot of time, given what’s at stake for the European economy. If SCA was implemented today, around €57 billion would be taken out of the European economy in the next 12 months – and the most vulnerable SMBs would be taking the largest hit. As many as three in five businesses with under 100 employees are still unfamiliar with SCA and many have no plans on being compliant any time soon.
While the European Banking Authority has averted the immediate risk of an e-commerce crisis in Europe, it is now critical that all businesses are adequately prepared for what will be the most radical change in the online payments landscape in the past decades.
To be clear on the stakes: banks will reject all transactions which aren’t properly authenticated once SCA is implemented. Merchants who are not ready will simply lose legitimate revenue, because they failed to make the necessary changes to be ready for SCA.
How can businesses prepare for SCA to avoid losing revenue?
One way for merchants to get ready would be to integrate 3DS2 – a user friendly and SCA-compatible authentication method – and activate it dynamically for transactions that might fall under the scope of the new regulation. However, the vast majority of European issuing banks have not yet implemented 3DS2 in their systems and will fall back to the older 3DS1 standard if they see such transactions go through their systems. According to industry estimates, 3DS1 – which is not optimised for mobile commerce – leads to a drop of 11% of conversion for businesses. So 3DS2 can’t be the only route merchants take to prepare for SCA ready.
Another option is to optimize for SCA-ready payment methods such as Apple Pay, Google Pay, or any similar payments method. They’re a good way to maintain high conversion rates, while addressing SCA requirements through biometric verification. But then again, not every customer in Europe has a smartphone, and not every issuing bank in Europe offers Apple Pay or Google Pay.
This leaves merchants with a third optimization route: exemption and decline strategies. The regulation was never designed for all transactions to go through SCA. There are a number of exemptions – for example charges that are under €30, or recurring charges of the same amounts – so it’s important to leverage the option to trigger SCA only where required. The difficulty here is that not all issuing banks will have the same interpretation of SCA exemptions. Some will take them all into consideration, others will simply ignore them, and merchants will have no way of knowing that first hand. So for merchants, it will also be critical to monitor declines in real-time and optimize their set up accordingly. Because of the number of issuing banks in Europe, merchants will have a hard time understanding exactly what’s happening with their declined transactions. Large merchants will have to staff teams to monitor and react accordingly. And small merchants will have to look at the data for weeks before being able to find a clear pattern.
Preparing for SCA biggest challenge for industry in decades
If you think this all sounds rather complex, you’re not alone. It’s certainly been a huge challenge for the industry to prepare for SCA. Regulators, schemes, issuers, merchants… everyone will be impacted by the new regulatory standard. But in the end, merchants have the most to lose. They will be judged by the customer for the quality of their payments experience. If paying becomes too complex, or worse – if payments fail – customers will make their purchase elsewhere, and possibly never come back.
At Stripe, SCA is seen as a technology opportunity. The company has spent the last 2 years investing in better authentication experiences – both on the merchant and the issuing banks’ sides – so SCA is as seamless as possible for customers. They have also built an optimisation engine to help online businesses to easily comply with the new regulation and help them navigate the often inconsistent approaches to SCA of Europe’s regulators, issuing banks and card networks. It not only self-updates to respond to any evolution in SCA implementation within the payments value chain, but it triggers SCA only when needed at transaction level. This way it is possible to not only protect, but grow the revenue of users, while helping them comply with SCA requirements.
But alarmingly, and despite all of the talk around SCA in past months, too many businesses still haven’t heard of SCA, let alone acknowledged the threat to their online revenues and the continued functioning of their payments stack. This is the most important issue the industry should be focused on solving in the next 14 months. Or else, the delay will have been for nothing.
Main image credit:Stock photo from Teerasak Ladnongkhun/Shutterstock