What is Strong Customer Authentication (SCA)?
If you’re a resident within the EU then you may have already heard about Strong Customer Authentication (SCA). If you’re one of those people who haven’t, then on the 14th September 2019 new regulations around authorising payments will be introduced by European banks.
These new regulations are designed to help reduce fraud and make online payments more secure in general. Practically this means that the biggest change to making an online payment after this date is that banks will require at least two forms of authentication out of a possible three elements. This follows the age old security best practice of requiring:
- something the customer knows (e.g. password or PIN)
- something the customer has (e.g. phone or hardware token)
- something the customer is (e.g. fingerprint or face recognition)
What happens if I’m not SCA ready?
From the scheduled implementation date, banks will begin to decline “customer-initiated” online payments within Europe that do not satisfy SCA criteria. This doesn’t mean that all payments will be blocked; there are some exemptions to Strong Customer Authentication - the most common likely to be “low value” transactions under £30.
Stripe shows the potential revenue loss on accounts if SCA was already in effect. The chart estimates the European payment volume that may have required authentication.
Businesses that are not prepared for these new regulations could see conversion rates drop significantly.
But what about Brexit?
SCA regulation is expected to be enforced in the UK regardless of the outcome of Brexit. This means that anyone taking online payments from European customers needs to have SCA on their radar.
How does it work now?
As it currently stands, most existing (none SCA ready) payment processes are quite simple, and either fail or succeed. They do sometimes require an additional authentication step, commonly known as 3D Secure (Visa Secure / Mastercard Identity Check), where the customer is redirected to another page, and the bank asks for a code or password to authenticate the actual payment, but this extra step can add friction and in the worst cases lead to customers abandoning orders.
With the new 3D Secure 2 standard, which powers a lot of the SCA regulation under the hood, we are able to add a more streamlined authentication process, improving the purchasing experience for customers when compared to the current 3D Secure.
Now when a payment is processed, banks will have the ability to request additional authentication from the customer, but following the new 3D Secure 2 implementation. This can all be handled in a single page load, with multiple authentication processing requests, before a bank decides whether to approve or reject the payment.
Essentially the new standard is win, win. A more optimised flow for customers, but with additional fraud protection and improved security!
How we have prepared our clients for Strong Customer Authentication
Our preferred payment provider is Stripe. They make taking online payments a breeze, providing a secure service with excellent documentation. They recently shipped their latest APIs that support the new authentication methods. We’ve been hard at work updating and testing our clients payment flows to ensure business as usual once the new requirements come into force.
In practice this means that our payment integrations now have an optional extra step for authentication (should a bank request it), all baked in to our checkout flow which is designed to be as frictionless as possible for the customer.
Need help getting SCA ready?
It’s fair to say we’ve got the right experience when it comes to handling new SCA regulation. The changes come into force on the 14th September 2019 and are expected to make a significant impact on e-commerce within Europe.
Get in touch with us if you’d like to explore how we could help you get ready for the SCA deadline.
Jason focuses on delivering functionality that really hits the mark. He can usually be found puzzling over a new development challenge, or working away on some of Engage’s longer term projects.