Strong Customer Authentication (SCA) is set to debut on September 14, and there’s a $100 billion problem looming if merchants across Europe do not make the mad dash to keep up. The PSD2-related regulation counts itself among a raft of those set to become law across the continent, focusing on boosting online commerce security by requiring cardholders to provide two forms of identification to verify their identities when transacting.
If India’s experience is any indication, though, rolling out SCA could come with some bumps. That country enforced a similar regulation in 2014, and businesses reported a subsequent overnight conversion drop of more than 25 percent due to the extra payment steps required.
Pair those concerns with the fact that the European eCommerce industry is worth $600 billion a year, a figure that could be significantly affected by SCA noncompliance – and SCA could indicate a wholesale sea change in how transactions are completed, according to Guillaume Princen, head of continental Europe at payments processor Stripe, in a recent interview with PYMNTS. Transactions that do not adhere to the new standard will be rejected outright, he explained, potentially hindering commerce if the process is not made smoother for the merchants, consumers, issuers, banks and other payments ecosystem parties involved.
A September to Remember
SCA’s goals are laudable by any measure, as the requirement seeks to reduce fraud and make online card-not-present (CNP) transactions more secure. At the same time, it also requires 300 million European consumers to confirm their identities each time they purchase online through at least two of the following: inputting personally identifiable information (PII), responding to calls or text alerts on mobile phones, responding to emails sent to submitted addresses or providing biometrics like fingerprints or facial recognition, among other options.
This is no easy task for the millions of merchants of multiple sizes, scopes or verticals operating across the continent, and grappling with SCA will mean updating numerous eCommerce processes and technologies.
Stripe announced this week that it had launched several products for European companies, Princen noted. The offerings include its Payments Intent API, which aids firms in designing SCA-ready payment forms and accepting mobile wallet payments, a pre-built checkout page through which merchants can integrate with just a few lines of codes and a suite of billing tools geared toward subscription commerce. The company also acquired Dublin-based Touchtech Payments, which provides SCA-ready authentication technology for Europe-based FinTechs and challenger banks.
Connecting challenger banks and FinTechs to merchants may be in the offing – and a longer-term trend on the horizon – but Stripe is focused on an immediate roadmap to accelerate SCA compliance and simplify its processes for merchants.
“Merchants have been sleepwalking into SCA,” Princen explained. “There are big problems, [and] among them is actual awareness. Only very few merchants are actually aware of SCA.”
Data from Mastercard shows that just 25 percent of those in Europe are actually fully aware of SCA and what they need to do to prepare for it, he added. Larger merchants appear to be better prepared than the roughly 800,000 smaller ones operating across the continent. Awareness is twice as high among those with at least 500 transactions per month than for firms transacting below that threshold.
Stripe is essentially building an autopilot compliance product for small and medium-sized businesses (SMBs) as well as larger firms, Princen noted, something that would greatly affect operations as the SCA regulation takes effect.
“One thing to understand about SCA is that this is a very decentralized process with room for interpretation by countries, banks … and the merchant has to piece everything back together to serve its own customer,” he said. “We are trying to do that for them.”
Stripe’s SCA-related product updates will occur automatically, “white-listing” consumers who repeatedly transact through recognized devices and whose transactions have a demonstrated history of being low-risk. Its offerings utilize an “exemption engine” to help decide whether exemptions should exist, Princen explained, or whether no exemption is warranted, thus steering the transaction through SCA flows.
Exemptions can be requested by merchants that show evidence of low fraud rates, he noted. Those under €30 ($33.93 USD) are exempt, for example, as are merchants with fraud rates between one and six basis points for remote, card-based payments. Stripe’s updates ensure that only the “riskiest transactions” actually see a dose of friction.
Europe isn’t the only region seeing new regulations roll out as online commerce gains ground and automating security efforts becomes paramount. Other countries like Australia and Mexico may also see stronger authentication protocols in the coming months and years.
“The mission is to increase the [eCommerce-related] GDP of the internet,” Princen said.