Strong Customer Authentication

Opportunity or threat?

With the increasing popularity of online shopping, also cyber criminality has been rising. Indeed, eCommerce frauds are putting online businesses under heavy pressure as they have been increasing twice as much as eCommerce sales. That’s a significant percentage considering the still growing online landscape in which expectedly 95% of purchases will happen by 2040.

Until now, online retailers as well as payment service providers have been standing in front of a huge challenge: finding a balance between good user experience and protecting their customer from criminal activities. Now the decision, whether to take action or not, has been taken away from them with Strong Customer Authentication.

In this article we will take a look what SCA is and what it means for your eCommerce.

If you are asking yourself at this point what SCA means, you are not alone. 73% of shoppers are unknowing about this new European requirement. Strong Customer Authentication is a new European regulation which has the purpose to impede frauds and make online payments more secure. It will affect companies managing online transactions as well as the way online shoppers make their payments. While until now, mostly the credit card number and the address were sufficient, an additional step serves as the ultimate authentication of the buyer.

How does it work?

The concept of SCA is the following and goes far beyond just typing an ordinary password. 

With this new authentication process, the customer has to identify himself/herself with a combination of two out of the three below mentioned ways and an authentication code gets generated:

PIN-code or private password

Something the customer knows

Hardware token or phone

Something the customer has

Fingerprint or face recognition

Something the customer is

Which transactions are exempt from SCA?

  • Payment account information (under some conditions) Article 10 
  • Contactless payments at POS/ In-person card payments (under some conditions) – Article 11
  • Transactions on unattended terminals for parking fees and transport fares – Article 12
  • Trusted beneficiaries (whitelisted businesses) – Article 13
  • Recurring payments & subscriptions (initial transaction will require SCA) – Article 14
  • Credit transfers between accounts held by the same natural or legal person Article 15
  • Small purchases below €30 (under some conditions) Article 16
  • Secure corporate payment processes and protocols – Article 17
  • Low risk payments (Transaction risk analysis TRA) – Article 18
  • Transaction where either the Issuer or Acquirer has a location outside the EEA – logical conclusion

However, exemptions should be carefully considered. The goal shouldn’t be to avoid authentication completely, but to minimize it.

Only one in two companies will be SCA compliant before the 14th September.

When is authentication needed?

Strong Customer Authentication applies to payments which are initiated by the payer – who can be a natural person as well as legal entity – and are made online in Europe. Consequently most payments via card and bank transfers are affected by it. 

Authentication is needed when either a payment is not falling under one of the exemptions mentioned above or the bank has denied an exemption request. In order to have a smooth checkout process – depending on your Payment Gateway Providers – eligible exemptions might be automatically requested before leading the consumer to the authentication step. 

SCA – an enemy?

However, it’s definitely not easy to understand what customers favor: is it convenience or security? A report of GoCardless, conducted in the UK, Spain, France and Germany revealed that online shoppers are torn between a convenient shopping experience and heightened security measures. Even though security is perceived as more important, the percentage in some countries is only slightly higher than the wish for comfort.

You might hear a lot about low consumer tolerance and abandoned shopping carts due to long or complex checkout processes. Furthermore, 451 Research forecasts a potential economic loss of 57 Billion EUR with the introduction of SCA. But let’s not forget the damaging impacts of online frauds companies have been exposed to until now. Besides losing clients’ trust and reputation due to being vulnerable for online credit card fraud and data breaches, online retailers have to face losses due to chargeback frauds, which are often twice the sales price. Needless to mention that the shipped goods are lost and fees for chargebacks are adding up on top.

SCA – an opportunity!

Instead of seeing SCA as the enemy, we recommend embracing this new European requirement and use it to create a competitive advantage. As only one in two companies will be SCA compliant before the 14th of September, it is your chance to shine.

Just like online retailers, payment providers are interested in creating a smooth and uncomplicated checkout process for clients. They will care in the same way about excellent customer experience. Consequently, you are in the same boat. Try to align your joint needs and emerge as winners.

Highlight the benefits of SCA against a bunch of inconvenient, complicated passwords which are hard to remember – as they should meet several criteria. Furthermore, smartphone users are already quite familiar with biometrics and fingerprint usage, which is clearly in your favor.

SCA opens up the chance to integrate a variety of payment options. This new given choice is going to be perceived positively in the eyes of the consumer.

And the most obvious and really significant point is the increase in trust, due to providing safe payment. Moreover, a digital ecosystem which offers secure online shopping will strengthen the confidence of consumers and will have a positive impact on eCommerce in the long run.

SCA Checklist

1. Make a website audit to identify your Payment Gateway Providers.

2. Once you have a list, contact each of them to see what they are already doing for SCA and how they can support you.

3. Contact the agency who is managing your website to understand technical changes to be done.

4. Make sure not to neglect consumers without smartphone.

5. Whenever a consumer is going to leave the checkout before completing it, let a pop-up appear informing about the new regulation.

6. Ask your customers to whitelist your business to their banks.

Do you need assistance with Strong Customer Authentication? Contact us!

Final thoughts

After your business hopefully has mastered GDPR successfully, SCA will challenge you another time. Burying your head in the sand is not an option since for enterprises based in EAA it is legally binding. There will always be people who shy away from the “new and unknown”, so take it as your mission to prove them wrong.

SCA will not be the reason to lose customers, but poor implementation and a lack of client communication will.