Deep Dive: Retailers Prepare To Face SCA’s Downsides


Stronger authentication is an obvious, albeit costly, defense against the growing number of online banking fraud attempts. European merchants will be forced to comply with Strong Customer Authentication (SCA) come September, and they may face a significant loss in revenue and customers along with the expenses involved with implementing new infrastructures and protections.

Some estimates place the potential loss in economic activity post-SCA at approximately $64 billion, a figure that includes losses incurred by merchants that will have to innovate their online payment processes. This is just one of many issues that will cause financial trouble for smaller businesses as larger online players, like Amazon, have more resources from which to draw. SCA poses an especially difficult challenge because many SMBs do not know about the deadline. One in three SMBs are either either completely unaware of the deadline or unsure that they will meet it with complete compliance.

Small businesses are not alone, however. Only 40 percent of businesses that are aware of SCA feel prepared to face the regulation, and some studies believe this group may be underestimating the regulation’s cost and reach. Half of the businesses that are aware of SCA plan to manage compliance and regulation exemptions themselves. SCA exemptions are still being decided upon, meaning these merchants may find themselves struggling after the deadline hits.

The size and scope of SCA puts a good deal of pressure on merchants. Not only do they need to ensure that customers are properly authenticated in compliance with SCA, but they also need to ensure that their compliant authentication methods do not drive customers away. This high-stakes balancing act may be why many merchants are requesting a deadline extension. Retailers and other merchants are working with their payment service providers (PSPs) to determine exemptions and how best to retain their customer experiences. Businesses that fall into certain exemptions will be able to use their PSPs to bypass two-factor authentication (2FA), allowing them to keep their current online experiences and thus avoid frictions.

SCA and its impact on customer experiences

Extensions do not affect the inevitability of compliance. Merchants that are able to avoid the deadline will still need to account for immediate changes to online payments. One of the more concerning shifts is how SCA will cap how much money customers can send before they are asked for further authentication.

Online transactions over €30 will be subject to 2FA come September, requiring customers to provide something they know, such as a password, along with something physical, like a fingerprint. This will also require many merchants to restructure how they approach online ordering.

Larger retailers will also need to change how they approach one-click ordering — an Amazon staple that may not be compliant. Customers who are used to making purchases with a single click may have to authenticate themselves every time, introducing an irremovable layer of friction. There are obvious security benefits to such procedures, but it could cause customers to abandon sites altogether.

Amazon may be required to send one-click customers authentication codes or similar verification requests to remain compliant with the €30 rule. The company is currently preparing for the deadline, though it is still unclear how it plans to augment one-click ordering for SCA.

Smaller merchants will also have to revamp their platforms to meet these authentication requirements, and businesses of all sizes will need to brace themselves for negative customer reactions over added frictions. Authenticating identities using online codes sent to separate devices may be more complex than some consumers can handle or have the patience for.

SCA extensions and the future of authentication

European businesses are starting to discuss the potential cons of stricter authentication, and their concerns reached the ears of the European Banking Authority (EBA), which responded by granting extensions on a selective basis.

Merchants are also considering new partnerships and integrations to better manage compliance, with many relying on Mastercard’s and Visa’s card networks for their authentication needs. These networks utilize 3DS, the latest version of which — 3DS2 — is SCA-compliant. Consumers are also familiar with 3DS, albeit under branded names like Mastercard SecureCode or Verified by Visa. Awareness is the biggest barrier to 3DS adoption as only one out of every four online businesses are aware of the protocol, which may put those merchants in jeopardy.

A recent survey of 500 EU merchants found that only half expect to be compliant by September, which is not getting any further away. SCA’s requirements are not going to become any less challenging, either. How European merchants respond to the difficulties and complexities of the looming SCA deadline will determine their success in the post-PSD2 world. Extensions or otherwise, the clock is ticking.