This blog post is for beginner merchants with customers in the EEA who need an introduction to what PDS2,Strong Customer Authentication (SCA) is and what it means for their business.
From 14th September 2019, merchants operating in the European Economic Area (EEA) will be subject to new regulations: the Strong Customer Authentication (SCA). This is a two-factor authentication (2FA) that will protect certain electronic and remote payments. The strong consumer authentication is an extension to the second EU Payment Services Directive (PSD2). It was a measure which came into effect in January last year. The main goal of the SCA is to protect consumers against fraud by encouraging merchants to build an additional layer of authentication into their checkout flows. SCA is a measure that may impact certain medium-to-large-sized businesses. Here’s what you need to know!
What is Strong Customer Authentication (SCA)?
The SCA will apply to any retailers that accept online payments from customers in the EEA. Even if your business isn’t based in this region, you will still need to be compliant with the new regulation in order to continue servicing your clients. The strong customer authentication will apply to a range of payments (more details below) initiated by customers within Europe. Also, it will more or less affect the majority of card payments and bank transfers.
In its essence, the SCA requires a two-step authentication that includes at least two of the following: the customer’s password or PIN, a phone or hardware token, and fingerprint or face recognition to finalize the transaction. It’s part of the larger PSD2, which, like the GDPR regulation, introduces new laws that protect and improve consumer rights. For credit card transactions, this will mean implementing the new version of 3D secure (3DS2).
What does the SCA mean for my business?
The SCA is likely to have a profound effect on the way businesses within the EEA operate. It will also extend to merchants that may not be based within this area but service EEA customers. It will transform the way over 300 million Europeans shop online. Also, it will force merchants to introduce new security measures into their checkout flow.
The SCA will affect any businesses with transactions where the cardholder’s bank and the business are located in the EEA. It’s expected that SCA will also be enforced in the UK in the aftermath of Brexit, though this is still uncertain.
Any non-compliant businesses will simply have their transactions declined by the cardholder’s bank. This can affect not only revenues but your business reputation as well. Compliance, however, may actually contribute to greater card abandonment as the new measures amplify the already low consumer tolerance for poor checkout experiences. In fact, a recent survey by analyst firm 451 Research determined that Europe’s digital economy may suffer a significant blow and risk losing upwards of €57 billion once the new regulations come into effect on 14 September.
Exemptions to the SCA
To ensure your business continues to serve customers in the EEA, SCA compliance is necessary. However, familiarize yourself with the exemptions to the new regulations to minimize your risks. Certain low-risk payments may be exempted from the Strong Consumer Authentication or 3D-secure version 2 for credit cards. Some payment providers may do real-time risk analysis and determine whether to apply the SCA to a transaction or request an exemption. However, this is unfeasible for high-risk merchants.
Small transactions (under €30) will be considered “low value” and as such, will not be subject to SCA. However, if this exemption has been used over five times, banks will still request authentication. This means that even low-value transactions will run the risk of SCA.
Recurring direct debits will be unaffected by the new regulations. This is because SCA only applies to consumer-initiated payments while recurring ones fall into the “merchant-initiated” category. In fact, any merchant-initiated transactions like credit cards will be considered exempt. To use them, the card will need authenticating when it’s being saved or during the first payment. You must get an agreement from the customer (known as a ‘mandate‘) to charge them at a later point. Additionally, any card-present transactions will also be unaffected by the regulations (except for contactless payments).
How to prepare my business for SCA?
Connecting with your payment provider before September 2019 is the easiest way to welcome these changes. Reach out to your merchant service provider (like DirectPayNet) who can help you navigate new changes.
If your business isn’t based in the EEA, consider retargeting your customers or rethink your strategy. However, this isn’t always feasible. In general, experts recommend starting your preparations for the SCA regulations as soon as possible. You may consider implementing 3DS2, which is currently the way of authenticating any online credit card payments.
The 3DS2 that will be introduced in 2019, is the new version of the 3D-secure. It is the most widely accepted authentication protocol in Europe. The 3D-secure adds an extra layer of authentication following checkout, usually in the form of a one-time code sent to the customer’s phone. Like 3DS, 3DS2 will be supported by the majority of European cards and will meet all the new requirements.
Customer prefer a smoother seamless checkout
Last but not least, calibrate your checkout experience. Consumer friction is likely to grow exponentially as the new regulations roll in. A smooth checkout experience can prevent highly expected issues such as an increase in cart abandonment rates.
One thing to keep in mind is that, where there is a risk, usually there is an opportunity. The survey by 451 Research highlighted that only 44% of businesses expect to be fully SCA-compliant by September 14th, which presents the forward-thinking merchants with an opportunity to gain competitive advantage. Tighter rules mean consumers will be looking for easier, smoother and more seamless checkout experiences. Use these to your advantage and look into clever SCA exemption management practices to ride the wave.
DirectPayNet stays abreast of industry regulations and changes. Therefore, we can help you solve payment solution pain points for your high-risk merchant accounts and other services. Contact us today!