With the Second Payment Services Directive (PSD2) now live, the European Union’s Strong Customer Authentication (SCA) regulation is now set to go into effect this month. The regulation, which aims to improve transaction security for customers and retailers, is set to bring a lot of confusion as merchants brace for the change.
What Is SCA?
Strong Customer Authentication is part of the PSD2 regulations that require greater security for many transactions using 2 of 3 forms of customer authentication. PSD2 went live in January 2018 with implications for all European companies that deal with payments. While PSD2 includes 11 mandates, one of the biggest implications is improving the security of e-commerce payments by increasing customer authentication.
Some transactions are exempt from SCA requirements including:
- Trusted beneficiaries. Consumers can choose to add businesses they trust to a list of beneficiaries held by their issuing bank.
- Recurring transactions involving subscription billing as long as SCA rules are applied to the first transaction or if the payment amount changes.
- Low-value transactions of less than €30.
Merchant Responsibilities Under SCA
Under the new guidelines, a merchant must provide card issuers with two authentication factors from customers for the transaction to be completed. The guidelines lay out three authentication factors:
- Inherence, such as a fingerprint or other biometric
- Possession, such as a credit card or device
- Knowledge, such as a PIN or password
Soon, millions of consumers will need to confirm they are who they say they are during e-commerce transactions by responding to communication over a mobile device, providing personally identifiable information, or using a fingerprint or facial scan.
Are Merchants Ready for the Change?
SCA is required to be built into an online merchant’s checkout flow by September 14, 2019, although research shows most e-commerce retailers are nowhere near ready. A Mastercard survey found just 25% of online retailers were even aware of the impending SCA regulations and, of these retailers, 24% had no plans to support the new requirements by the approaching deadline.
Retailers who are not equipped for the Strong Customer Authentication requirements will soon see declines on European-based transactions if they are not exempt from the regulations or they do not have 3D-Secure authentication to securely verify card-not-present (CNP) transactions.
According to one estimate from Stripe, European businesses may lose up to $57 billion within the year of SCA requirements going into effect. The same study found just 40% of businesses that were aware of the Strong Customer Authentication guidelines were ready to meet the requirements.
Which Retailers Are Affected by SCA?
European merchants aren’t directly responsible for meeting the requirements of SCA as this falls on the issuers and acquirers within the European Economic Area (EEA). This includes the 28 members of the EU plus Liechtenstein, Iceland, and Norway. However, retailers who do not adhere to the guidelines will likely see an impact on authorization rates for card-not-present transactions.
SCA is only required for transactions in which the issuer and acquirer are in the EEA. Retailers who contract with an acquirer that is located in the EEA, for example, will be impacted with declines on transactions processed on cards issued in the EEA when SCA guidelines are not met.