Are You Ready for Strong Customer Authentication?

For those immersed in PSD2 preparations, it may feel like the regulation is the perpetual focus of any conversation. But as we rush toward the September deadline, it has become painfully clear that not everyone is aware of what the upcoming regulatory requirements are, or what’s at stake if they are not met.
A study commissioned by Stripe and carried out by 451 Research found two alarming statistics:

  • Less than 50 percent of businesses anticipate being compliant with PSD2 before September. This puts Europe’s online economy at risk of losing €57 billion when the regulation’s strong customer authentication (SCA) requirement goes into effect.
  • Of businesses with under 100 employees, three in five are either unfamiliar with SCA, won’t be compliant before the September deadline, or are unsure when they will be ready.

A surprising number of online retailers aren’t prepared for PSD2 — and that’s especially the case when it comes to small businesses.

What are strong customer authentication (SCA) requirements?

PSD2 regulations will affect eCommerce businesses that are operating in the European Economic Area (EEA). One of the major requirements when PSD2 goes into effect on September 14, 2019 is for merchants to build more stringent SCA protocols into checkout flows for online transactions originating in Europe.
SCA requires authentication to use at least two of the following three elements:

  • Something the customer knows (e.g. password or PIN)
  • Something the customer has (e.g. phone or hardware token)
  • Something the customer is (e.g. fingerprint or face recognition)

SCA guidelines are designed to require more data in order to authenticate identities and protect customers. When implemented well, they won’t automatically lead to greater friction. In fact, compliance can actually create a better experience for customers.
These guidelines only apply to “customer-initiated” payments, whereas “merchant-initiated” payments, such as recurring direct debits, won’t require strong authentication. Additionally, merchants can apply for a variety of SCA exemptions. Transactions under €30 ($33.93 USD) are for the most part exempt, and if a payment service provider (PSP) has an aggregate fraud rate below a certain threshold, merchants using that PSP can apply for an exemption.

The effect of SCA on transactions

Although it’s hard to know exactly what will happen when PSD2 goes into effect this September, merchants will probably start seeing declines on European-based transactions if they are not SCA compliant. This may not affect merchants where the majority of transactions fall under the €30 ($33.93 USD) exemption threshold. But retailers with higher-value transactions are sure to face more scrutiny.
Another issue merchants may face is with mobile transactions. Mobile users are more likely to be bounced from the checkout process with the introduction of additional friction. What once might have been a quick impulse buy becomes a chore when a consumer is on their mobile device and asked to log into their bank account to finish the transaction.

Preparing for SCA compliance

As we head toward September’s PSD2 deadline, merchants need to make sure they’re on track to adopt SCA and other PSD2 requirements. More payment service providers (PSPs) and card issuers are ahead of the game, but merchants can’t just assume that if their PSP is compliant, they will be as well.
The answer to meeting SCA requirements without increasing friction for consumers is in the data. 3D Secure 2.0 will be the main method for authenticating card payments and helping merchants adhere to SCA guidelines. The increased data transmitted through 3D Secure 2.0 will let merchants make more confident fraud decisions while also reducing the friction for good customers.
After all, when it comes to customer experience, merchants are ultimately going to be the main touch point for consumers. If they’re not prepared to offer a frictionless SCA experience, they could be putting their reputations — and their bottom lines — at risk.
Want to learn more? Our Vice President of EMEA, Spencer McLain, was recently featured on PYMNTS’s blog talking about how strong customer authentication (SCA) mandates are reshaping the relationship between companies and their end customers — and how the eCommerce landscape is likely to change as a result. Read the article here.
If you’re in Europe and are interested in connecting with our team, please reach out to our Amsterdam office at +31 20 240 34 50 and

Start a Free Trial

See how Ekata can reduce fraud risk for your business, contact us for a Demo.