View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Analysis
March 29, 2019updated 04 Apr 2019 6:05pm

Thought GDPR was complex? Get ready for SCA!

By Iain McDougall

Europe is bracing itself for a big shake-up in how we pay for things online. This is going to have significant consequences for businesses across the region, writes Iain McDougall

Just as GDPR affected the way millions of organisations handle personal data, Strong Customer Authentication (or SCA) will have profound implications for how businesses accept online transactions and how we pay online when it’s introduced on 14 September.

SCA requires an extra layer of authentication for online payments. Where a card number and address once sufficed, customers will now need to include at least two of the following three factors to do anything as simple as order a taxi: something they know, something they own, and something they are.

Why is this happening?

The new rules are designed to protect European consumers from billions of euros in attempted online fraud. European internet commerce is expected to grow to $1 trillion by 2022, and online fraud will grow with it.

The European Central Bank now estimates around €1.3 billion in online fraud on European cards each year. At Stripe, we see and prevent more than €3.5 billion in fraud globally per year. Along with the six million Europeans who make their living in internet commerce, we welcome any attempt to thwart fraudsters.

But SCA could cost European online businesses, with additional friction cutting conversion rates. Similar regulation in India in 2014 saw an overnight conversion drop for some firms of over 25%. The same in Europe would cost the online economy €150bn.

What should internet businesses do to prepare?

Get prepared early. With just 25% of European merchants aware of SCA, there may be a last-minute rush as we get closer to the deadline, similar to the dash ahead of GDPR last year.

SCA is no less complex than GDPR. It is interpreted differently by national regulators, card networks and issuing banks, each with their own rules and policies. But there are some overarching principles for businesses getting ready for SCA.

Firstly, ensure you’ve minimised friction in the checkout for all relevant payment methods. Different payment methods will be more suitable for certain business models – whether that’s biometric security in mobile wallets or 3D Secure 2 – and customer preferences will vary. So, internet businesses need to build choice into their checkout experience, so the most relevant SCA-compliant payment method is available.

Second, adapt to the variations within SCA. It won’t apply to every online transaction. There are exemptions for recurring identical payments and purchases under €30, for example. Customers can also whitelist businesses with their issuing bank, so they don’t need to authenticate themselves for any future purchases.

This is particularly important for businesses built on repeat custom. Unfortunately, exemptions ultimately depend on the customer’s bank. For a business operating in multiple European markets, managing exemptions themselves means working directly with local banks – and there are more than 6,000 banks in Europe.

Businesses will have to decide whether this is the best course of action or if they want to find a strategic partner to help them deal with SCA.

How could this shape internet commerce in Europe?

Where there’s risk, there is always opportunity. Seamless checkout experiences and intelligent exemptions can be a competitive advantage for internet businesses. This is especially so for tech-forward businesses which live and die by optimising user experience (versus legacy businesses that are still making the transition from the offline world).

SCA may spur a wave of innovation in biometric security tools and mobile payment technology as entrepreneurs spot gaps in the market for more secure and user-friendly authentication experiences.

It’s not the first time Europe has pioneered new standards in payments that marry security and convenience. Rolling out EMV standards over a decade ago made chip and pin more or less ubiquitous on the continent, while the US is still to this day playing catch-up. History may repeat itself with SCA. In any case, wherever Europe goes, the world will likely follow. Australia and other markets are expected to introduce similar legislation soon.

Ultimately, making the internet economy more secure is important for its long-term growth. As consumer trust increases, so does spending. So, while SCA poses a significant challenge in the short-term, it could significantly boost online commerce in Europe, fulfil the Digital Single Market, and raise the GDP of the internet. And that is just what we aim to achieve at Stripe.

Iain McDougall is UK and Ireland country manager at Stripe

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. A weekly roundup of the latest news and analysis, sent every Wednesday.
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy


Thank you for subscribing to Electronic Payments International