September 14th 2019 will be an important day for all companies and merchants that are dealing with eCommerce because this is the day when a new EU regulation will come into effect.
Strong Customer Authentication (SCA) is a new regulatory requirement that aims to reduce fraud and increase online payments security.
It applies mainly to “two-leg transactions” where the acquiring bank (Payment Service Provider – PSP) and the card issuer are located in a member state of the EEA.
However, non-EU and non-EEA sellers with EEA buyers can expect to be affected at some point and it still must comply with PSD2 information disclosure and transparency on the conditions and costs of international payments. If it already sounds confusing one can find more detailed information by reading the Regulatory Technical Standards.
Comes September 14th, all online stores’ payment gateways that have an EEA presence has to be SCA ready and comply to the regulation, otherwise, all EEA issued payment methods are likely to be declined during checkout.
What does mean? SCA asserts that all transactions with an EEA presence will require two-factor identification or 2 forms of identification from 2 different categories. According to the European Banking Authority, it will transfer the liabilities from the payer to the payee.
For many years, a lot of businesses may have used 3D Secure 1.0 or similar protocols. You may be already with the 3D Secure process; after you enter the card details to confirm the payment, you are redirected to a secure page where your card issuer will ask for a confirmation code or password to prove your identity. However, 3D Secure 1.0 was released in 2001 and it has its limitations. An improved version, 3D Secure 2.0 is on its way.
The regulation has been released in the Official Journal on March 13th, 2018, but millions of online entrepreneurs are still not aware of the Strong Consumer Authentication. As written above, all businesses must comply with the regulation, otherwise, buyers’ transactions will be canceled by the card issuers.
While it was rather to order an item online, everything will change when SCA will apply. There will be long delays and payment failures which will result in fewer sales and increased customer frustration and confusion.
Imagine a customer through its checkout process. One selects the desired items in the shopping cart, proceed to the checkout, inserts the card details, but the order is canceled. From the customer’s way of thinking, it is the merchant’s fault so the frustration will rise while the merchants have to deal with negative publicity and a lost customer. This is only one scenario of many that may or may not occur after September 14th.
While SCA applies to all electronics payments, including proximity, remote and mobile payments, there are also exempts from the regulation.
For example, for all subscriptions that are made after September 14, there is the need for authorization only for the first payment. The subscriptions initiated before that date are considered “merchant-initiated”, so the authorization is not required.
Any transaction under €30 or 225DKK is not under the SCA. A -small exception here is the consecutive number of low transactions. After 5 exempted transactions or if the total sum will exceed €100, a form of authorization is needed.
Businesses can make use of 3D Secure standard or similar protocols, such as SafeKey, AmericanExpress, Visa Secure, Mastercard Identity Check, DIBS, etc. Alternative payment methods, like Apple Pay or Google Pay, already incorporate the required elements and should not be affected by SCA.
When the day comes, a lot of businesses will be caught short-handed. The request for Strong Customer Authentication will increase after the compliant state, while many will lack the time and IT resources to implement a smooth transaction without many losses.
It is recommended to comply before the regulation comes into effect, even if for some it is not required by law. It will reduce the risk of transaction failures and prepare for whatever comes next. Businesses should also contact their legal advisors to figure out how to proceed.
Do you have any questions about Strong Customer Authentication and how to implement it? Contact us and let’s have a chat.