Last year’s implementation of GDPR was not the end of changes in terms of EU regulations influencing the eCommerce landscape. The second Payment Services Directive or (PSD2) is a new EU directive that means changes in the customer verification process for online transactions. These requirements, Strong Customer Authentication for eCommerce, or SCA, go into effect on September 14th, 2019. How ready is your business to implement these new regulations of robust customer authentication? Don’t fret. We’ve created this article to help you prepare your online business to comply with SCA requirements.
What is strong customer authentication psd2?
PSD2 aims at creating safer and more innovative online and mobile customer payments throughout the European Economic Area. It is an EU Directive that means “Payment Services Directive”. It went into effect on October 8, 2015. PSD2 is the second iteration of the Payment Service Directive (PSD).
While new, more intense verification processes might seem an inconvenience or extreme for both consumers and market managers, it’s necessary due to the increase in digital sales which attracts more opportunities for fraudulent activities. This brings us to why integrating a robust SCA into your customer payment verification equation will soon be mandatory.
What is the true meaning of Strong Customer Authentication (SCA) for eCommerce?
Strong Customer Authentication, or SCA, aims to result in more secure customer payments via a stringent second-level authorization for credit cards and eCommerce businesses located in the European Economic Area. How does it work?
Aspects for identifying customers under SCA
First off, SCA regulations stipulate that eCommerce businesses will have to implement a payment verification system to verify each customer is who he says he is. This means that customers’ identity must be confirmed via two of the three following aspects:
- Possession: i.e. The actual credit card itself, mobile device or smart card.
- Knowledge: i.e. Something only the customer would know, such as a password or PIN.
- Inherence: i.e. Characteristics unique to users. Examples are biometrics such as a fingerprint or facial scan, voice recognition, etc.
Strong Customer Authentication exemptions
Unless customers are able to verify the required above elements, their payments will be declined. However, there are some exemptions.
5 SCA exceptions and how they might impact your business
1. Secure corporate card payments are exempt from SCA when the transactions are made with a corporate card only if the card is ‘lodged’. For example, credit card information would need to have previously been stored with a travel agency that makes airline bookings on behalf of employees, etc. Also, if corporations use virtual card numbers for the transaction it may be exempt from SCA regulations.
2. Transaction Risk Analysis (TRA) is also a really important exemption. TRA estimates the provider’s fraud rates and if the rate falls and stays beneath a certain threshold, merchants can omit SCA requirements.
There are various fraud thresholds: starting with .13% for transactions under €100, .06% for transactions between €100 and €250 and .01% for transactions between €250 and €500.
3. Trusted beneficiaries. This exemption is one that merchants should implement to ensure smoother, hassle-free purchase experiences for frequent customers.
How it works: Cardholders can request their cards user on their ‘white-list’ do not need to go through SCA for future transactions following the initial purchase. In this scenario, the card issuer is responsible for managing their white lists which list trusted beneficiaries.
4. Merchant-initiated transactions are recurring fees associated with a health club membership, subscriptions, or a recurring purchase of the same monetary amount from the same eCommerce merchant. For customer convenience sake, this circumstance qualifies for SCA exemption (once the initial payment to the merchant is completed with SCA implemented).
5. Low-value transactions are also exempt from SCA regulations. In other words, customers purchasing under €30 from your online store are exempt from SCA. However, this is true only for the first 5 transactions below €30, or a purchase total of €100. Once the threshold of €100 is reached, SCA applies and the ‘transaction count’ is reset
How to prepare your eCommerce business for Strong Customer Authentication
We’ve curated the below list of steps you can take to get started in preparing your eCommerce business for Strong Customer Authentication:
- Make a list of your current payment methods that allows payments via credit cards.
- Update your Terms of Service and Privacy Policy pages with your SCA partners.
- Make visible to your visitors that your site is SCA ready to increase trust (be careful: make sure you use as simple language as possible).
- Speak to your lawyer to be 100% sure that you’ve taken all the mandatory measures.
List of SCA-ready payment gateways for eCommerce
Now you know what SCA is, how it impacts retailers and that you must have your payment systems upgraded prior to the September 14th deadline. However, you might be asking “How do I even start to set up this new innovative check out process?”
Setting up and implementing SCA is not something you need to do on your own! Smart marketers can turn to payment processors that are SCA-ready. Here are some payment gateways to check out to help you prepare for strong customer authentication for eCommerce:
- Stripe: On April 17, 2019, Stripe announced new SCA-ready products and updates in a Press Release December 07. 2018
- BrainTree: BrainTree offers 3D Secure 2.0 (3DS 2.0) as the solution for their merchants.
- PayPal: PayPal says they handle the authentication request and processing for their merchants.
- WorldPay: Check out how ready your business is for PSD2. WorldPay offers a Readiness Quiz to eCommerce marketers. Also, it has a full suite of tools for merchants to use.
Frequently Asked Questions about Strong Customer Authentication
- When is the implementation deadline for Strong Customer Authentication for every European eCommerce business? September 14, 2019.
- What are some Strong Customer Authentication examples? Something the user possesses, personal knowledge only the customer knows and finally, biometric data such as facial scans and fingerprints.
- What are the consequences for a non-SCA-ready eCommerce site after September 14th passes? Banks will decline payments that require SCA and don’t meet the above criteria. This means loss of sales and potentially losing your regular contracted clients if your eCommerce business is not compliant by September 14th.
- What about Strong Customer Authentication and Brexit (UK)? Yes. Even following Brexit, UK merchants must implement SCA regulations.
- Will SCA impact all types of bank cards (VISA, MASTERCARD, etc)? Visa and Mastercard already implement a verification process called 3D Secure protocol. It is a security protocol designed to provide an additional layer of security for online credit card/debit card transactions. They will maintain their 3D Security protocol after the September 14th PSD2 deadline. However, they will roll out a new upgraded protocol called 3D Secure 2 in 2019 to meet the criteria standards for SCA.
Conclusion
The eCommerce landscape and regulations continuously change, especially in Europe. This is why every eCommerce company must keep up with the latest industry changes and trends so you can act quickly in order to keep only the most beneficial partners. At the same time, reacting in a timely manner also allows companies to transform a potential threat (such as loss of sales if you miss the September 14th deadline) into an opportunity and leave the competition behind.
Don’t wait to September 14th, and by all means, don’t only rely solely on this Strong Customer Authentication guide. This is just the start. You also need to seek legal advice.
Now it’s Your turn.
Do you think SCA is a fair and reasonable regulation? Share your comments below!