Another Europe-wide online security measure is coming into law on the 14th of September 2019 – Strong Customer Authentication. Here’s how it might affect you.
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is being introduced to European law as part of the second Payment Services Directive (PSD2). This new legislation is an attempt to reduce online fraud which costs the consumer hundreds of millions of pounds every single year – a number that is quickly on the rise.
From the 14th of September, when SCA actually goes into effect, any websites that take payments online will need additional authentication to process the transaction. If your business or website does not meet these security requirements, then European banks will block the payment from going through.
In order to qualify as having additional security, your website’s authentication process will require two of the following three elements:
Something they know – passwords, pins, etc.
Something they have –a phone, tablet, or hardware token
Something they are – fingerprint or facial recognition
Any transactions that ask for at least two of the above identification methods will be deemed as secure, allowing the payment to be processed.
When Do I Need Strong Customer Authentication?
SCA won’t be required each and every time money is exchanged on the internet; it only applies to “customer-initiated” transactions. This includes the majority of card payments as well as bank transfers. However, recurring and agreed bills such as direct debits are exempt because they are “merchant-initiated”.
It is also worth noting that these requirements will only have to be met when the buyer/senders’ and business’ bank are located in the European Economic Area. If, for example, you are buying from a business in the US but are based in Scotland, then the bank won’t intervene even if the security measures don’t meet SCA standards.
Although hardly anything in relation to Brexit has been finalised, according to the Financial Conduct Authority (FCA) if we are to leave the EU then it is expected that the SCA regulations will still be enforced in Britain.
How Will Strong Customer Authentication Affect Me?
“expect to see a significant, and in some cases crippling, drop in sales/conversions if you do not prepare properly.”
The first thing to note is that if your website doesn’t process payments or transactions, then this legislation won’t affect you at all. However, this new legislation is going to alter e-commerce in Europe entirely, and you can expect to see a significant, and in some cases crippling, drop in sales/conversions if you do not prepare properly.
Secondly, if payments on your site are processed using Apple or Google pay, then these platforms are already SCA compliant and are ready to go.
However, if you use PayPal, Stripe, or Sagepay then things are slightly different:
PayPal: If you use PayPal on your site then no major changes will be required. They are already carrying out the required work on their side, and although you might need to make some minor changes in the PayPal panel, you shouldn’t need any changes in terms of website integration.
Sagepay: The majority of Sagepay users should be absolutely fine – they are carrying out the necessary changes on their side without needing any adjustments to website integration. However, anyone using SagePay Direct will need some work to be carried out.
Stripe: Stripe are also making the necessary changes to their platform in order to prepare for new limitations on payments, but some users using their payment API will require some additional work to ensure everything transitions smoothly.
What Payments Are Exempt?
Certain online transactions won’t require this extra security:
Low-Risk – If the payment provider or bank’s overall fraud rates are below a certain threshold, then SCA may not apply. In cases where the fraud percentage is extremely low, it is theoretically possible to avoid SCA requirements for payments up to €500. However, it would be short-sighted to rely on this.
Low-Value – If the transaction is below €30 then this is considered “low-value”. However, even then, other rules apply that might mean SCA is relevant so once again it isn’t a good idea to rely on low-value exemptions.
Fixed Subscriptions – In the case of repeat payments through subscriptions, the initial payment and agreement will likely be the only time that SCA standards have to be met.
Merchant-Initiated Payments – As mentioned, SCA only applies to customer-initiated payments. It is likely that variable-payment subscriptions will be exempt from the extra security, although this will likely depend on the bank and how they negotiate SCA. Once again, it is safer not to rely on this and ensure you meet any required standards.
How Can Red Media Help?
Although repercussions for GDPR non-compliance were gradual (and, in many ways, remain to be seen for smaller companies), failure to meet SCA standards will result in immediate financial losses, hurting your bottom-line as banks start blocking payments to your business.
Red Media is prepared to make sure that your site is completely ready for the change in legislation, ensuring that you don’t miss out on any sales because of silly mistakes or, even worse, a lack of preparation.
We stay ahead of the game so you don’t have to! Contact us today.