As part of the second Payment Services Directive (PSD2), online stores in the European Union will be required to implement additional security measures during the authentication process.
For many online merchants, these new regulations may require you to add more authentication measures to your checkout process. To make sure you can continue to accept payments in the EU, here’s what you need to know about SCA—the what, how, why, who, and when.
What is strong customer authentication?
Strong customer authentication (SCA) is a requirement of the revised EU Payment Services Directive Services (PSD2) on payment service providers within the European Economic Area.
SCA requires that electronic payments are performed with multi-factor authentication, which increases electronic payment security.
Essentially, any transactions that involve an issued card or acquirer in the EU need to implement additional security measures in order to complete online transactions. This is what the new authentication method looks like …
How does strong customer authentication work?
The most important element of SCA is two-factor authentication. There are three categories that can be used to verify customer information in an SCA-compliant transaction:
· Knowledge – Something only the user knows (e.g. “What’s the name of your first pet?”)
· Possession – Something only the user possesses (e.g. a code sent to the user’s phone)
· Inherence – Something the user is (e.g. fingerprint or face ID)
As part of the two-factor authentication, online merchants are only required to use two of the three elements. If a transaction does not employ two independent authentication methods, the transaction will not be successful.
Before two-factor authentication, issuing banks usually just required users to remember a password to complete purchases and make payments. However, passwords are often easy to forget, or worse, easy to guess. More dynamic data points with SCA will make the payment process more convenient and secure for customers.
But of course, there are always exceptions. The PSD2 has an extensive list of exemption scenarios, but here are the most relevant SCA exemptions:
· Low-Value Transactions – Transactions under 30 EUR are exempt from SCA.
· Subscriptions – Recurring transactions with a fixed amount will be exempt from the second transaction forward; only the initial transaction requires SCA.
· Whitelisted Merchants – Businesses listed as “Trusted Beneficiaries” will not require SCA. This makes it more convenient for customers who regularly shop with a given business.
· Mail Order and Telephone Order (MOTO) – These transactions are exempt from SCA in all cases.
Why is it happening?
In the last several years, the ecommerce landscape has changed drastically. In 2007, the European Commission adopted the initial Payment Services Directive (PSD). PSD2, along with SCA, is the third iteration to the initial directive. Here are the reasons why SCA is a necessary next step:
· Increased online shopping – According to a recent survey, 25% of Europeans with Internet access shopped online at least once a week in 2016.
· Frequent data breaches and online credit card fraud – In 2016, nearly £309 million was lost to credit card fraud in ecommerce transactions in the United Kingdom, compared to just £13.6 million in 1998.
· Rise of Third-party Providers (TPPs) – With more TPPS—like Stripe, Amazon Pay, PayPal, Apple Pay—allowing consumers to access their bank funds without actually entering the bank portal, additional security is needed to ensure bank funds stay safe.
For all you numbers people out there:
More online shopping + More TPPS = More data breaches and online credit card fraud
Since online shopping and TPPs aren’t going anywhere, the SCA is meant to help keep customer data secure and decrease the number of data breaches and cases of credit card fraud.
Who is impacted by strong customer authentication?
As part of PSD2, SCA only applies to transactions that involve an issued card or acquirer located in the EU. So, here’s how online merchants and consumers will be affected by SCA:
EU Online Merchants
Merchants stand to lose less money as a result of reduced fraudulent charges.
Merchants may need to change or update their systems to accommodate new SCA regulations by adding more authentication methods. Since there is always a risk of hiccups during a transition, merchants need to work harder to meet customer expectations and minimize disruptions in the payment process.
Customers will have more flexible banking and payment options. Their personal information will be more secure now that additional authentication is required.
There will be additional steps when completing a purchase or making a payment. But this is barely a negative because the five seconds added onto the checkout process means personal information is more secure. Most people would choose to answer, “What’s your mother’s maiden name?” before dealing with credit card fraud.
When is it happening?
Originally the SCA was scheduled to go into effect as part of the PSD2 on September 14th. However, the United Kingdom’s Financial Conduct Authority (FCA) is set to delay Strong Customer Authentication (SCA) requirements which could lead to the SCA’s postponement throughout the European Union. Additional delays have been announced in several other EU countries.
Change can be difficult. Especially when those changes require updates to your website and payment process. The good thing is that there are a lot of options available to businesses that need to use SCA. Sure, you could work your development team overtime to make the updates. Or you could partner with a full-service ecommerce platform like FastSpring to take care of updates and compliance for you. You can worry about keeping your customers happy and FastSpring will worry about keeping the European Commission happy. Request a demo to learn more information about staying current with new regulations.