Why businesses should treat the SCA delay as a warning, not a reprieve


31 Oct 2019

Michael Cocoman, head of regulatory, Stripe. Image: Peter Houlihan

Stripe’s Michael Cocoman says businesses must take the chance to prepare for SCA while they have it, or risk losing out.

You would be forgiven for missing the arrival of strong customer authentication (SCA) in Europe on 14 September, as it passed with little disruption to online commerce. Thankfully – and similar in ways to Brexit – a cliff-edge has failed to materialise.

For context, SCA is a new form of two-factor authentication that adds an extra layer of security when making payments online. It requires that most online transactions above €30 are verified by at least two identifying factors – for example, a password combined with a biometric factor such as a fingerprint.

More than a month on from its September implementation date, merchants might be wondering what all the fuss was about. Consumers across Europe have continued to shop online as normal, and the vast majority of merchants are unlikely to have seen any meaningful increase in transaction failure rates or cart abandonment.

For now, merchants and consumers alike can thank the European Banking Authority (EBA) for the relative tranquillity of transacting online, as it recently took the decision to allow national regulators to delay the deadline for enforcement of SCA until 31 December 2020.

Fail to prepare, prepare to fail

A 14-month period to focus on SCA migration is good news for online commerce, especially given the high stakes at play for the European economy. If SCA was implemented today, around €57bn would be taken out of the European economy in the next 12 months, and the most vulnerable SMBs would take the largest hit to their revenues.

As many as three in five businesses with less than 100 employees are still unfamiliar with SCA and many have no plans to be compliant any time soon.

‘If SCA was implemented today, around €57bn would be taken out of the European economy in the next 12 months’

While the EBA has stemmed the immediate risk of an e-commerce crisis in Europe, we must now ensure that all businesses are adequately prepared for what will be one of the most radical changes the European online payments landscape has seen. The EBA’s delay should be seen as a warning, not a reprieve.

To be clear on the impact, once SCA is enforced, banks will simply reject all transactions that aren’t properly authenticated. Merchants who are not SCA-ready will lose legitimate revenue because of their failure to make the necessary changes.

The challenges ahead

One way for online merchants to prepare is to integrate 3D Secure 2 (3DS2 – a user-friendly and SCA-compatible authentication method) and activate it dynamically for transactions that fall under the scope of the new regulation. However, the vast majority of European issuing banks have not yet implemented 3DS2 in their systems and will fall back to using the older 3DS1 standard.

According to industry estimates, 3DS1 – which is not optimised for mobile commerce – leads to a drop in conversion rates of 11pc for businesses, and so 3DS2 should certainly not be the only route merchants take to prepare for SCA.

Another option is to optimise for SCA-ready payment methods such as Apple Pay or Google Pay. This is a good way to maintain high conversion rates while addressing the SCA requirements through biometric verification. But not every customer has a smartphone and not every issuing bank in Ireland offers Apple Pay or Google Pay.

This leaves merchants with a third optimisation route: avail of exemption and decline strategies.

The regulation never intended all transactions to go through SCA and there are a number of exemptions. For example, charges that are under €30 or recurring charges of the same amount.

It’s important to only trigger SCA where it is required but the difficulty for merchants is that not all issuing banks have the same interpretation of the exemptions. Some will take all exemptions into consideration and others will simply ignore them, leaving it to merchants to unpack an elaborate puzzle of inconsistencies and varying approaches.

It will be critical for merchants to monitor declines in real-time and optimise their set-ups accordingly but, because of the large number of issuing banks in Europe, it will be very difficult for merchants to know exactly what will happen to their declined transactions. Large merchants will likely have to staff teams to monitor and react accordingly, with small merchants forced to analyse their data for weeks to find a clear pattern.

Merchants have the most to lose

If you think this all sounds somewhat complex, you’re not alone. It has certainly been a huge challenge for the industry to prepare for SCA. Regulators, card schemes, issuers, merchants – everyone will be impacted by the new regulatory standards.

In the end, merchants may have the most to lose. They will be judged by their customers for the quality of their payments experience. If paying becomes too complicated – or, worse, if payments fail – customers will make their purchase elsewhere and possibly never come back.

Alarmingly, and despite all of the talk about SCA in recent months, too many online businesses still haven’t heard of it, let alone prepared for the threat it represents to their revenues and the continued functioning of their payments stack. This is the most important issue for the industry to focus on solving in the next 14 months. Otherwise, this much-needed delay will have been for nothing.

By Michael Cocoman

Michael Cocoman is Stripe’s head of legal for EMEA and is based in Ireland.

For more information, Stripe has produced an information guide on what internet businesses need know about SCA.