This article was published on May 10, 2019

Your business passed the GDPR challenge — but SCA is next

It's going to be tricky

Your business passed the GDPR challenge — but SCA is next
Guillaume Princen
Story by

Guillaume Princen

Head of Continental Europe, Stripe

Guillaume Princen leads Stripe in Continental Europe and was the company’s first employee outside the US when he joined in 2014. Guillaume b Guillaume Princen leads Stripe in Continental Europe and was the company’s first employee outside the US when he joined in 2014. Guillaume built - and scaled - Stripe’s European operations. Before joining Stripe, Guillaume worked at McKinsey & Co. He has an MBA in Business Administration from Harvard Business School.

Europe is bracing itself for a big shake-up in how we pay for things online, which will have significant consequences for businesses across the region. Similar to how GDPR hugely impacted how millions of organizations handle personal data when it was enforced last year, Strong Customer Authentication (or SCA) will have profound implications for how businesses handle online transactions and how we pay for things in our everyday lives when it is enforced on September 14.

SCA will require an extra layer of authentication for online payments. Where a card number and address once sufficed, customers will now be required to include at least two of the following three factors to do anything as simple as order a taxi or pay for a music streaming service. Something they know (like a password or PIN), something they own (like a token or smartphone), and something they are (like a fingerprint or biometric facial features).

This will undoubtedly add friction to the checkout process, meaning millions of shoppers may abandon transactions, impacting the revenue of thousands of businesses.

Why is this happening?

The new rules are designed to protect European consumers from billions of euros in attempted online fraud. As European internet commerce is expected to grow to $1 trillion by 2022, online fraud grows with it: the European Central Bank now estimates around €1.3 billion in online fraud on European cards each year.

My colleagues and I work hard to prevent more than €3.5 billion of fraud attempts globally per year, so I welcome any attempt to thwart fraudsters. I’m also sure the six million Europeans and counting who now make their living in internet commerce will rejoice.

But SCA could come at a heavy cost for European online businesses. Without careful preparation, failed transactions and additional friction will have a significant negative impact on conversion. When similar regulation was enforced in India in 2014, some businesses reported an overnight conversion drop of over 25 percent. If the same were to happen in Europe’s €600 billion online economy today, we would be facing a potential economic loss of €150 billion.

What should internet businesses do to prepare?

It’s best to get prepared early. I worry that with only a quarter of European merchants aware of the upcoming changes, there could be a last-minute rush as the deadline gets closer, similar to the dash many businesses made last year in the run up to GDPR.

SCA is certainly no less complex than GDPR. The overarching EU regulation is interpreted differently by national regulators, card networks, and issuing banks have their own set of rules and policies, and there are important payment exemptions for when SCA is not required. For most businesses, this is bewildering, but there are some overarching principles to apply when getting ready for SCA.

Firstly, calibrate your checkout experience to minimize friction with the most appropriate payment method. From biometric security in mobile wallets to regional non-card payment methods to 3D Secure 2, there are various ways businesses can let their customers authenticate themselves in an SCA-compliant manner.

Different payment methods will be more suitable for certain business models, and customer preferences will vary depending on geography and their relationship to the business. Given this, internet businesses need to build maximum optionality into their checkout experience, so the most relevant SCA-compliant payment method is dynamically surfaced depending on the context.

Second, optimize for when SCA is needed and when it isn’t. SCA won’t apply to every online transaction. There are exemptions for recurring payments and purchases under €30, for example, so give thought to the situations when you do not need to send a customer a stepped-up authentication request.

What is more, customers can whitelist businesses with their issuing bank, so they don’t need to authenticate themselves for any future purchases. This is particularly important for businesses who have repeat customers. Unfortunately, granting exemptions ultimately depends on the customer’s bank.

For a business operating in multiple European markets, managing exemptions themselves would mean working directly with local banks to understand exactly how to trigger them — and there are more than 6,000 banks in Europe. Businesses will have to decide whether they want to become SCA experts themselves or find a strategic partner that will help them abstract away the complexity of the challenges that come along with the new regulation.

One might argue that the design of SCA regulation could have better accounted for the complex internet business models that are increasingly common today (such as on-demand services) as well as modern fraud risk analysis based on machine learning.

But regardless of our viewpoint on it, SCA is coming, and its consequences will be hard for businesses who fail to prepare. This makes it even more important for merchants to start working on managing the upcoming additional friction and its impact on conversion rates now.

How could this shape the internet commerce in Europe?

My attitude is that where there is a risk, there is opportunity. In the context of tighter rules, seamless checkout experiences and intelligent SCA exemption management will become a deep competitive advantage for internet businesses able to execute well. I can see this even benefitting tech-forward businesses which live and die by optimizing user experience (versus legacy businesses that are still making the transition from the offline world).

This applies especially to mobile commerce, where SCA may contribute to more adoption of biometric security in wallets like Apple Pay and Google Pay.  Additionally, SCA may spur a wave of innovation in biometric security tools and mobile payment technology here in Europe as entrepreneurs spot gaps in the market for more secure, more user-friendly authentication experiences.

Let’s remain optimistic. It’s not the first time Europe pioneers new standards in payments that reconcile security and convenience. Consider how it rolled out EMV standards over a decade ago to make chip and pin more or less ubiquitous on the continent, while the US is still playing catch-up to this day even.

History may repeat itself with SCA. In any case, wherever Europe goes, the world and how it pays will likely follow. Australia and other markets are expected to introduce similar legislation soon.

Ultimately, making the internet economy more secure is important for its long-term growth prospects. As consumer trust increases, so does their amount of spending that is happening online.

In that context, while SCA poses a significant challenge for European ecommerce in the short-term, it could turn out to be a significant milestone on the way to increasing online commerce in Europe, fulfilling the Digital Single Market, and raising the GDP of the internet. And that’s something we can all agree is a good thing.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with