What is Strong Customer Authentication?

Listen to article

While many UK businesses are still struggling with GDPR, a new law will come into effect in autumn 2019 for ecommerce retailers

This September, the European Union will implement new rules for online payments. Strong Customer Authentication will seek to make online payments more secure through authentication. It will affect all online vendors in the EU, as well as 300 million consumers.

How does Strong Customer Authentication (SCA) work?

The new law will require European consumers to use two-factor authentication when making a purchase. This is essentially another method of identifying themselves securely – for example, through a second password or a fingerprint. Any online vendors that do not offer two-factor authentication will have their payments automatically declined by the bank.

Exceptions to the law

Not all payments will be impacted by the new regulation. For example, recurring direct debits will be considered “initiated by the merchant” – saving customers a lot of bother. Likewise, contactless payments, such as Apple or Google Pay, will not be affected. In-person card payments are also considered a secondary authentication. Repeat customers may find that they only need to identify themselves through two-factor authentication once. If the merchant whitelists the customer, he or she may be exempt.

The background of SCA

The new laws are a further development of the Payment Services Directive, which launched in 2015. Its purpose was to regulate all payment services throughout the European Union and the European Economic Area. This would provide consumers with additional security, and allow for more convenient payment methods, for example through non-banking services.

Part of this directive was “common and secure communication”. This requires certificates for website authentication, as well as electronic seals. Now, the new directive will provide an additional layer of anti-fraud protection for consumers.

What to do as an ecommerce retailer

Akin to GDPR, the new law is likely to cause some trouble for online vendors. Primarily, sellers will have to collaborate with banks to ensure they all have the same definition of two-factor authentication. With 6,000 banks in Europe, there may be delays as banks scrabble to agree on these definitions. Likewise, consumers will need to be educated on what counts as two-factor authentication, for example voice or facial recognition, fingerprints or pin number. The new law comes into effect on September 14.

To prepare for the changes, online retailers should:

Educate their teams

Research shows that only 25% of online merchants are aware of the SCA. You can find out more about how your business will be affected by reading the guidelines from Ecommerce Europe.

Research Alternative Payment Methods

Some fintech companies have been preparing for SCA for a while. For example, payment technology provider Stripe recently acquired Touchtech Payments, which offers SCA technology. Similarly, the company has also launched Stripe Billing, designed to make SCA compliance easier for online subscriptions. The software will identify when customers need to authenticate themselves, making transactions more convenient, thereby increasing conversions for retailers.

Inform their customers

To make the transition easier and avoid any surprises, you should forewarn your customers of the new changes. Consider a personalised email to your customer database, or a notification on your homepage, similar to a cookies bar.

Online sales are forecasted to grow by 17% across Europe in the next few years. While SCA may take some getting used to, it will ultimately benefit both retailers and their customers.