What SCA means for your company - and how to prepare
Reading time: 4 minutes
Online payments have made tremendous advances in the past five years. As easy as they may seem today, even the simplest checkout experience is still supported by a complicated financial system. Every time you sign up for a new streaming service or click “purchase” in your shopping cart, you’re interacting with a complex web of payment gateways, card networks, bank servers - and legal bodies that oversee it all. Recently, Europe has introduced new legislation that will add to that complexity and could cost European businesses up to €57 billion.
As of September 14, 2019*, European merchants and customers will become subject to a new set of regulations known collectively as Second Payment Services Directive (PSD2). One requirement of PSD2 is Strong Customer Authentication (SCA), which is designed to reduce credit card fraud online. This will require European credit card users to prove their ownership with multi-factor authentication by demonstrating at least two out of the following three:
- Something they know (like a PIN)
- Something they have (like a cell phone)
- Something they are (like a fingerprint)
In this new world of SCA, your standard online payment will have one extra step called authentication, before the transaction can be completed. This authentication step is performed using a protocol called 3D Secure 2 (3DS2). Note the “2” - an earlier implementation that allowed cardholders to authenticate exists, but has a lot of drawbacks, including very limited support for mobile devices. This means that while some customers may be familiar with the authentication step, many are likely to be new to the process, and those who aren’t may have negative memories of their previous experiences.
This is where the potential for loss lies. European businesses need to prepare their online payment flows for a new, legally compliant authentication step, but they must do so with their customers in mind. And while the new 3DS protocol alleviates a lot of the previous version’s issues, it’s up to businesses to design payment flows that won’t frustrate or isolate their users. Customers have a low tolerance for workflows that they find complicated or untrustworthy and may abandon their purchase if they encounter too much friction.
There are many guides for becoming SCA compliant, but what’s the best way to do it without frustrating and driving away customers? Let’s take a look.
Don’t rely exclusively on exemptions
Under SCA, certain transactions are eligible for exemptions including recurring payments of the same amount, payments initiated by merchants (often while the customer is offline), and payments under €30.
This is extremely useful to be aware of for many businesses, but equally important is knowing that whether or not any given transaction will be granted an exemption is up to the discretion of the cardholder’s bank. Different banks will inevitably have different ways of determining whether or not an exemption request will be allowed. Even if you are 100% sure that your transaction should be legally exempt, bank algorithms may still issue an SCA-challenge and require your customer to authenticate before the payment will be processed.
In other words, it’s important to think of exemptions as a way to minimize authentication in your payment flow rather than avoid authentication altogether. While making your business SCA-compliant, make sure you build in tolerance for failure by creating a customer-friendly recovery flow. Think about how to best bring an unanticipated need for authentication to your customer’s attention. Be aware that as we enter the first few months of SCA enforcement, this will likely be a new experience for them – make it a good one.
Be flexible and informative toward your customers
SCA requirements will introduce a brand-new step to the payment flow for most customers, and may even require you to collect information that was previously optional such as card verification codes (CVC) and postcodes. Remember to be sensitive to how this may appear to your customers the first time they go through this flow. A significant portion of customers aren’t aware of the new rules or may not understand how it benefits them.
Though this is sure to change over time, consider how you can make your customer experience better through demonstrating empathy for this confusion in your payment workflow. Include orienting information for your users to ease their transition. For example, when using a credit card, you may wish to advise your users that they might be presented with a pop-up from their bank, or they may be asked for additional information to prevent fraud.
Where possible, it is worth considering offering your customers the ability to use alternative payment methods. As previously stated, SCA requirements apply to credit card transactions only. Providing alternative payment methods will give your customers another route to complete their transactions while you gather data on how your payment flow is performing so that you can improve it over time.
Check in with your payment providers
Finally, the best way to be prepared is to check with your current payments provider and see what they’re already doing in order to make SCA compliance easier for you. Many payment gateways are publishing guides for their users and will be able to provide you with in-depth information tailored to your solution.
In particular, they’ll have detailed information on how to upgrade your technical solution so that you’re ready to process payments with an authentication step. Consult with your payment provider(s) for more information!
The most important thing is to start now in order to meet the September 14, 2019 compliance deadline. Otherwise, you may not be able to process transactions involving cards with European issuers.
Even if your business is located somewhere not yet affected by SCA, it may be in the future. These regulations are meant to improve security for credit card users on the web, and as such, it’s likely that we’ll see similar regulations come into play in other economic areas. It certainly won’t hurt to keep an eye on how this will affect the world of online payments for the better.
Although the deadline for SCA-readiness remains September 14, the European Banking Authority has opted to allow national regulators to phase in or postpone enforcement for select banks. The FCA has since opted to phase in enforcement over an 18 month window for the UK.