How e-commerce businesses can prepare for strong customer authentication (SCA)

How e-commerce businesses can prepare for strong customer authentication (SCA)

Zoe Brown

Zoe Brown
7th August 2019

Losses through online card fraud in the UK totalled a huge £671.4million last year, according to UK Finance’s ‘Fraud the Facts 2019’ report. The same report cited that a total of £1.12billion in card fraud was successfully prevented in 2018. Although this proves the hard work of banks and card companies is having some impact on online fraud, the techniques and technology used by cyber criminals evolves at an even quicker rate.

The need to reduce fraud, make online payments more secure, and improve consumer confidence when making transactions online is the reason behind new legislation in the EU. The Revised Payment Services Directive (PSD2) contains new requirements for the authentication of online payments, known as strong customer authentication (SCA), which was due to come into effect on 14th September 2019.

Note: PSD2 is in addition to the GDPR compliance requirements that came into force May 2018.

However, payment providers and e-commerce merchants warned officials that over a quarter of payments would be impossible to complete if the deadline remained as September due to a lack of preparation in the industry. Just recently, the FCA has confirmed an 18-month delay to the enforcement of SCA rules. They have confirmed a new longer transition plan will be put into place, meaning businesses won’t face enforcement action after September this year if they can prove they’ve taken steps to comply with the new rules.

Although businesses now have until March 2021 to fully comply, it’s still vital for online retailers to understand the new regulation and start preparations sooner rather than later. In this article, we’ll cover what SCA entails, how it works, and what your business needs to do to prepare.    

What is SCA?

Strong customer authentication will apply to transactions where the business and cardholders’ banks are in Europe and will still apply to the UK after Brexit. A form of two-factor authentication, SCA adds extra levels of authentication into the online checkout process by requiring at least two of the following to be entered by the consumer:

  1. Something they know: for example, an account password
  2. Something they have: such as receiving a code via their phone
  3. Something they are: for example, a fingerprint or face recognition

While this adds another step to completing an online purchase, the aim is to increase the security of online transactions through this ‘double-checking’ mentality.

SCA will apply to the majority of online card payments and bank transfers, with many banks implementing some form of changes and updates from April this year. This means you may well have experienced SCA yourself already.

While it will apply to most transactions made online, there are some exceptions. Any payment under 30 EUR won’t require 2FA, and low risk payments (based on the fraud levels of both the card issuer and acquirer) and subscriptions or recurring transactions (with some conditions) will also be exempt. You can find more about the exemptions here.  

How does it work?

To support the new legislation, a new version of 3D Secure (the VISA fraud initiative which takes consumers to a separate pop-up to confirm identity) is being launched to support SCA. If you’re interested in finding out how this works and whether it might improve the current offering, take a look at this guide from Stripe.   

All good payment service providers (PSP), the businesses which offer online services that allow e-commerce stores to accept electronic payments, and banks will be making changes to ensure they – and the businesses that use their products – are compliant. Any non-compliant transactions attempted after the deadline will be declined by the customer’s bank.

What does your business need to do?

Check with your payment processor and bank:

If your business uses a PSP, the chances are you won’t have to do anything, for example, if customers are directed to PayPal to complete their purchase. In most cases it’s not the e-commerce stores who are directly responsible for meeting these new requirements, it falls to the banks and payment service providers. It’s through these PSPs that e-commerce stores commonly gain access to 3D secure.

If your business handles payments directly on your website however, then you may need to make some changes to your checkout process. For example, if you use PayPal Pro Direct you’ll need to ensure the card issuer can perform SCA checks by updating the payment integration.

Either way, and even if you’re confident the platform, integrations, and bank you’re using will ensure your compliancy with SCA, check with your providers. They may already have some information on their website that you can read so you can understand what changes you and your customers can come to expect from your e-commerce store in the future.

For example, Apple Pay and Google Pay already support payments with an added layer of authentication, whilst PayPal Pro will automatically upgrade their payment process. Shopify also reassures users (in certain countries) they’ll be compliant automatically. The same goes for payment processors like Stripe. Again, it’s really important you take the responsibility to check your business will be compliant, whether directly or indirectly.

Check how your customers could be impacted:

Although SCA is designed to help keep customers safer when making online payments, the new process will add an extra step, and time, to the payment process.

It’s expected that this will have a knock-on effect on conversion rates, causing some drops while online consumers become accustomed to inputting that second piece of security information. The launch of a similar piece of legislation in India saw conversion rates drop by 25% overnight across impacted businesses.

Even if your suppliers are going to ensure your business is compliant, it’s important you spend some time thinking about how the customer journey will be impacted through your website’s checkout process.

You may wish to inform your customers of your compliance plan and make them aware of the specific changes they can expect to see from your website. They may seek reassurance from your business as the updates roll out and addressing the topic via your FAQs or through a blog, can help to squash any concerns they have before they experience your new checkout process.

If you’re looking for further information on how strong customer authentication could impact your business, or if you’d like to check your compliance, contact your payment provider, e-commerce solution, or bank directly. Stripe and GoCardless also have some helpful in-depth guides. 

The information in this article is for general guidance and is not legal advice. We have tried to ensure that this guidance is accurate and relevant as at August 2019. However, Nominet UK will not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or the inability to use any information contained in this guidance.