You might be forgiven for missing the advent of Strong Customer Authentication (or SCA) back in September — a new requirement introduced by EU legislation — given the date passed with little disruption. But if you’re in the e-commerce industry you’ll have to catch up on it as soon as possible as it’ll greatly affect your business.
For those who haven’t heard of it, SCA is a new form of two-factor authentication designed to add an extra layer of security when consumers make a payment online. Once enforced, it will require most online transactions to be verified twice (with something you know, something you are or something you have).
But, a few months on from its implementation date, consumers across Europe have continued to shop online as normal. The reason being that, in June 2019, the European Banking Authority (EBA) called for a delay on SCA enforcement, and recently announced December 31 2020 as the new pan-European deadline — giving your business a bit more time to adjust.
So what happens now?
An extended period where regulators are focusing on migration instead of enforcement is good news for the industry, but it is not a lot of time given what’s at stake for the European economy. If SCA had been implemented by the original deadline, the European economy would have suffered around a €57 billion loss in the 12 months to follow. SMBs would have taken the largest hit, as three in five businesses with under 100 employees are still unfamiliar with SCA, and many have no plans on being compliant any time soon.
While the EBA has reduced the immediate risk of an e-commerce crisis in Europe, businesses must now ensure that they are adequately prepared for what will be the most radical change in the online payments landscape in recent decades.
To be clear on the stakes, banks will simply reject all transactions that aren’t properly authenticated once SCA comes into effect. This means that businesses that are not ready will simply lose legitimate revenue because they failed to make the necessary changes to be ready for SCA.
How can you avoid that?
One way that merchants can get ready is to integrate 3DS2 — an industry standard, user friendly and SCA-compatible authentication method — and activate it for transactions that may fall under the scope of the new regulation.
However, the majority of European issuing banks have yet to integrate 3DS2 into their systems and will revert back to the older 3DS1 standard. According to industry estimates, 3DS1 — which is not optimized for mobile commerce — leads to a drop in conversion for businesses. So this can’t be the only route that merchants take to prepare for SCA.
Another option is to optimize for SCA-ready payment methods such as Apple Pay and Google Pay. They’re a good way to maintain high conversion rates, while addressing SCA requirements through biometric verification. But not every customer in Europe has a smartphone, and not every issuing bank in Europe offers these methods of payment.
This leaves merchants with a third optimization route: Exemption and decline strategies. The regulation was never designed for all transactions to go through SCA. There are a number of exemptions — for example charges that are under €30 or recurring charges of the same amounts — so it’s important to leverage the option to trigger SCA only where required.
The difficulty here is that not all issuing banks will have the same interpretation of SCA exemptions. Some will take them all into consideration, others will simply ignore them, and businesses will have no way of knowing that first hand. So, for merchants, it will be critical to monitor declines in real time and optimize accordingly. Because of the number of issuing banks in Europe, large merchants will have to dedicate teams to monitor and react accordingly and SMBs will have to look at data for weeks before being able to find a clear pattern.
Where does this leave merchants?
If this all sounds rather complex, you’re not alone. It’s certainly been a huge challenge for the industry to prepare for SCA. Regulators, schemes, issuers, merchants… everyone will be impacted by the new standard. But in the end, businesses have the most to lose. They will be judged by customers for the quality of their payments experience.
Investing in authentication methods that comply with SCA, and are as seamless as possible for customers, will be key. This stems from recognizing that if payments become too complicated, or worse — if payments fail — customers will make their purchases elsewhere, and possibly never come back.
But alarmingly, and despite all of the talk around SCA in past months, too many businesses still haven’t heard of the regulation, let alone acknowledged the threat to their online revenues and the continued functioning of their payments stack. This is the most important issue that the industry — and your business — should be focused on solving in the next 12 months. Or else, the delay will have been for nothing.
Like what you’ve read? On Growth Quarters, we strive to go beyond generic ‘fortune cookie advice’ and learn directly from the people who have ‘walked the walk.’ And this summer, at TNW Conference 2020 in Amsterdam, we’ll take Growth Quarters offline again with a vibrant program dedicated exclusively to sustainable business growth. Listen to keynotes from leaders from the world’s most successful companies and get actionable guidance to help you grow professionally. Get early bird tickets now and learn more about the Growth Quarters track.
Published February 7, 2020 — 12:13 UTC