Europe is bracing itself for a big shake-up in how we pay for things online, which will have significant consequences for businesses across the region. Similar to how GDPR hugely impacted how millions of organizations handle personal data when it was enforced
last year, Strong Customer Authentication (or SCA) will have profound implications for how businesses handle online transactions and how we pay for things in our everyday lives when it is enforced on 14 September.
SCA will require an extra layer of authentication for online payments. Where a card number and address once sufficed, customers will now be required to include at least two of the following three factors to do anything as simple as order a taxi or pay for
a music streaming service. Something they know (like a password or PIN), something they own (like a token or smartphone), and something they are (like a fingerprint or biometric facial features).
Why is this happening?
The new rules are designed to protect European consumers from billions of euros in attempted online fraud. As European internet commerce is expected to grow to $1 trillion by 2022, online fraud grows with it: the European Central Bank now estimates around
€1.3 billion in online fraud on European cards each year. At Stripe, we see and prevent more than €3.5 billion of fraud attempts globally per year. Along with the six million Europeans and counting who now make their living in internet commerce, we welcome
any attempt to thwart bad actors.
But SCA could come at a heavy cost for European online businesses. Without careful preparation, failed transactions and additional friction will have a significant negative impact on conversion. When similar regulation was enforced in India in 2014, some
businesses reported an overnight conversion drop of over 25%. If the same were to happen in Europe’s €600 billion online economy today, we would be facing a potential economic loss of €150bn.
What should internet businesses do to prepare?
It’s best to get prepared early: With only 25% of European merchants aware of the upcoming changes, there may be a last-minute rush as we get closer to the deadline, similar to the dash many businesses made last year in the run up to GDPR.
SCA is certainly no less complex than GDPR. The overarching EU regulation is interpreted differently by national regulators, card networks and issuing banks have their own set of rules and policies, and there are important payment exemptions for when SCA
is not required. For most businesses, this is bewildering, but there are some overarching principles to apply when getting ready for SCA.
Firstly, calibrate your checkout experience to minimize friction with the most appropriate payment method. From biometric security in mobile wallets to regional non-card payment methods to 3D Secure 2, there are various ways businesses can let their customers
authenticate themselves in an SCA-compliant manner. Different payment methods will be more suitable for certain business models, and customer preferences will vary depending on geography and their relationship to the business. Given this, internet businesses
need to build maximum optionality into their checkout experience, so the most relevant SCA-compliant payment method is dynamically surfaced depending on the context.
Second, optimize for when SCA is needed and when it isn’t. SCA won’t apply to every online transaction. There are exemptions for recurring payments and purchases under €30, for example, so give thought to the situations when you do not need to send a customer
a stepped-up authentication request. What is more, customers can whitelist businesses with their issuing bank, so they don’t need to authenticate themselves for any future purchases. This is particularly important for businesses who have repeat customers.
Unfortunately, granting exemptions ultimately depends on the customer’s bank. For a business operating in multiple European markets, managing exemptions themselves would mean working directly with local banks to understand exactly how to trigger them -- and
there are more than 6,000 banks in Europe. Businesses will have to decide whether they want to become SCA experts themselves or find a strategic partner that will help them abstract away the complexity of the challenges that come along with the new regulation.
One might argue that the design of SCA regulation could have better accounted for the complex internet business models that are increasingly common today (such as on-demand services) as well as modern fraud risk analysis based on machine learning. But regardless
of our viewpoint on it, SCA is coming, and its consequences will be hard for businesses who fail to prepare. This makes it even more important for merchants to start working on managing the upcoming additional friction and its impact on conversion rates now.
How could this shape the internet commerce in Europe?
But where there is risk, there is always opportunity. In the context of tighter rules, seamless checkout experiences and intelligent SCA exemption management will become a deep competitive advantage for internet businesses able to execute well. In one way,
this may even benefit tech-forward businesses which live and die by optimizing user experience (versus legacy businesses that are still making the transition from the offline world). This applies especially to mobile commerce, where SCA may contribute to more
adoption of biometric security in wallets like Apple Pay and Google Pay. Additionally, SCA may spur a wave of innovation in biometric security tools and mobile payment technology here in Europe as entrepreneurs spot gaps in the market for more secure, more
user-friendly authentication experiences.
Let’s remain optimistic. It’s not the first time Europe pioneers new standards in payments that reconcile security and convenience. Consider how it rolled out EMV standards over a decade ago to make chip and pin more or less ubiquitous on the continent,
while the US is still playing catch-up to this day even. History may repeat itself with SCA. In any case, wherever Europe goes, the world and how it pays will likely follow. Australia and other markets are expected to introduce similar legislation soon.
Ultimately, making the internet economy more secure is important for its long-term growth prospects. As consumer trust increases, so does their amount of spending that is happening online. In that context, while SCA poses a significant challenge for European
ecommerce in the short-term, it could turn out to be a significant milestone on the way to increasing online commerce in Europe, fulfilling the Digital Single Market, and raising the GDP of the internet. The latter happens to be our mission at Stripe, too.