Europe’s SCA Rules Spell Big Change for Businesses
If you’ve bought something online recently, you may have received a confirmation code sent to your phone. Most of the time, you have your mobile on hand and can complete your purchase in seconds.
New EU rules, which came into force on 19th September 2019, are taking the verification process one step further. Strong Customer Authentication (SCA) now requires two-fold authentication for online transactions over €30.
SCA is currently a European matter, but where the EU leads on payment innovation, the e-commerce world follows.
The changes are predicted to have the same massive impact as chip and pin did in 2004. With payment fraud costing businesses billions of dollars, the EU has acted to protect its citizens from online payment fraud, but at what cost?
What’s Going On?
SCA means customers can no longer just checkout online using their credit or debit cards if the transaction is over €30, which is about $33 USD. They will also need to provide an additional form of identification. So far, these rules will only apply to transactions in the European Economic Area (EEA), where both the consumer and business reside in the region.
There are fears SCA will slow the checkout payment process. Meaning millions of European shoppers may cancel their purchases mid-flow, which could have a serious impact on revenue.
In response, the banks and payment service providers (PSP) are under pressure to maintain SCA anti-fraud measures, while ensuring consumers can buy goods and services easily.
How Will SCA Affect You?
If someone in the European Economic Area (EEA) spends more than €30 on one transaction, they will receive an additional password verification request. Usually, this will involve a passcode message sent to your phone, a biometric fingerprint, or voice recognition request.
Banks and payment service providers (PSP) will be asked to implement two-factor authentication using two of these three features:
- Something the consumer knows (e.g., password, ID number, etc.)
- Something they possess (smartphone)
- Something unique to them (biometric fingerprint, etc.)
The banks and PSPs will decide which two elements it wants customers to use. Direct debits will not be affected as they’re catered for by the PSP. The question is whether European businesses are ready for these changes?
Where Will SCA Take Place?
The new EU banking rules will apply to transactions where registered businesses and the cardholder’s bank are in the European Economic Area (EEA). It includes all current EU countries and Iceland, Liechtenstein, and Norway.
USA, Canada, and non-EEA businesses could be affected if an EEA cardholder uses a global payment service provider and spends more than €30 in one transaction. Worldwide firms may experience a drop in revenue if they don’t educate their customers about these changes.
Will SCA Impact Upon Your Business?
If you have a European online business, and your customers are in the EEA, then SCA is impossible to ignore.
Most single card payments and all bank transfers within the EEA will require two-factor authentication. During the online checkout stage, customers will notice an extra step where their bank will prompt them to provide additional information to verify their payment.
What Happens If My Business Is Not Ready?
European banks can now decline online cardholder payments if they don’t abide by SCA rules. There are exceptions to SCA to Strong Customer Authentication rules, with transactions under €30 seen as “low value” and, therefore, don’t require two-factor authentication.
All EEA-based ‘customer-initiated’ transactions, such as single card payments and bank transfers, will be subject to SCA rules. Ongoing payments made by merchants, such as a direct debit, are exempt and will operate without two-factor authentication.
If your business is not ready for SCA, then you risk lower sales due to payment friction. Or a shut down in sales altogether if you cannot accommodate these changes. Any conflict at the checkout can make a customer change their mind if the payment process takes too long or is overly complicated.
Online Revenue Could Fall
While SCA is designed to help keep consumers safe from fraud. By slowing down the payment process, and adding this extra step, it may affect sales. Similar anti-fraud legislation introduced in India led to conversion rates dropping by 25% overnight across impacted businesses.
71% of Europe’s businesses are reported to believe the cost of SCA is ‘significant.’ It could well result in lower sales if payment service providers cannot align the anti-fraud rules with a seamless checkout experience.
Consumers in rural areas with poor mobile signals may also be affected by the changes. Many households are currently unable to receive SMS confirmatory codes from their payment providers. Likewise, if you don’t have a mobile phone, then you would be unable to use that method of authentication. Although there are alternative security methods, such as providing the last four digits of your credit card or email confirmation.
How Will SCA Work in Practice?
In response to SCA, a new version of 3D Secure (the pop-up VISA fraud initiative) is launching. 3D Secure 2 (3DS2) is expected to be the primary card authentication method to facilitate SCA in the European Economic Area.
All notable payment service providers (PSP), businesses and e-commerce stores in the EEA that accept electronic payments, and the banks overseeing them, must now be SCA-compliant. The 3D Secure standard, best known as Visa Secure or Mastercard Identity Check, aims to reduce fraud and make online payments more secure.
From 19th September 2019, banks will start rolling out a new version of 3D Secure. Any non-SCA compliant transactions attempted after this deadline can be declined by the customer’s bank.
Are You Ready for SCA?
In late 2018, a reported 86% of European online businesses were not yet compliant with SCA rules. 75% of companies were not even aware of the legislation.
Since two-factor authentication is here to stay, businesses should get ready to deliver and avoid disappointing customers. Even if your business is not in the EEA, it’s sensible to pay close attention to any changes in two-factor authentication.
What Do European Businesses Need to Do?
Payment service providers (PSP) are primarily responsible for implementing SCA. For example, if your business uses PayPal as a payment merchant, then they will be obliged to introduce these changes. Right now, it appears that the banks and PSP must ensure they are SCA compliant.
If your business, however, handles payment directly, then you may want to make some changes to your payment process. For example, if your online store uses PayPal Pro Direct, then you’ll need to ensure the card provider can enable two-factor authentication by updating the payment process.
Check with Your Payment Service Provider (PSP)
If you have any doubts, then check with your payment service provider to see you have everything in place. The onus is on you to make sure. Your PSP may have an SCA update on their website, which will give you the information you need. As a business, you must take responsibility and see whether you’re compliant with SCA regulations.
Keep Your Customers Informed
If you have a European-based business, you’ll need to educate your customers about the new payment rules.
Let them know you are making changes to their payment experience via email, social media, and update your website with information. Customers are entitled to know what’s expected of them when they buy something from your store. Otherwise, you risk disappointing them if the payment process is longer than expected.
Maintain Your Customers’ Confidence
Customers will feel more comfortable if they are made aware of SCA changes. They’re also more likely to make purchases without getting frustrated. There are likely to be more patient and understanding of your business if they’re familiar with the new rules.
Make sure your customers are on your side by keeping them up-to-date with SCA.
Get Ready for SCA
If you want them to make repeat sales and have regular customers, your payment operation has to run like clockwork. Making a positive case for SCA and explaining the rules will benefit your business in the long run.
Customers will feel more comfortable using your business if they know how your system works. Also, they are far more likely to recommend your company if the payment process runs smoothly.
Even if your business resides outside of the European Economic Area (EEA), online payments are constantly evolving, so get on the front foot and prepare. Let your customers know that two-factor authentication exists for their protection, as no one wants to be playing catch up at the checkout of the future.
Have you heard of SCA before? Do you think it will impact on your business? If you have experience of these changes then let us know and share your thoughts with the Namecheap community.
Disclaimer: The information in this article is provided for general information purposes only. No information in it should be construed as legal advice from Namecheap Inc. or the author. Nor is this information intended to be a substitute for legal counsel on any subject matter and no reader should act or refrain from acting on the basis of the information provided. Readers should seek the advice of appropriate legal counsel regarding the application of the SCA on their particular business and circumstances.
Stop the fearmongering. As an European, I have been using this double verification for years already and it didn’t change anything. Verifying the purchase requires me to pull out my phone, scan a QR code, type my password and done. Yes, it takes a bit more time but it is actually safer for businesses too ! So far, when a customer bought something on your website with stolen credit card, the actual owner would be refunded and the seller never seen his money. With this system, you can know for sure that the customer is real.
Hi Eric, Thank you for your comment. We appreciate the feedback. Firstly, I’m glad to hear it works for you. In writing the article, we were looking to provide an informal overview of SCA rules, as many businesses and consumers may not be aware of the changes. It will be interesting to see how it pans out and whether the EU achieves its goal of reducing online payment fraud.
Maybe merchants can split the payment into several $30 “micro” payments automatically before sending the request to the bank 😉
I see what you did there 🙂