Security vs. convenience in payments: Insights into SCA from Merchant Risk Council London
Merchant Risk Council events are some of the best places to discuss the challenges and opportunities facing the payments sector, from open banking and borderless payments to blockchain and virtual marketplaces.
The same issue at the top of every agenda
One topic that dominated this month's Merchant Risk Council London was Strong Customer Authentication (SCA), part of the PSD2 regulations. SCA is the new regulation for authenticating online payments, and will be rolled out across the European Economic Area (EEA) on the 14 September.
SCA has been put in place to increase security for payers and reduce payer fraud as well.
- Knowledge: Something only the user knows, such as a password
- Possession: Something only the user possesses, such as a token or a mobile phone
- Inherence: Something the user is, such as a biometric (eg. Fingerprint, Face ID)
We talked about SCA with players from across the payments landscape, both at the event itself and at a roundtable dinner we hosted on the topic.
This article looks at three key topics that emerged from those discussions.
1. The regulatory context
It’s hard to dispute the core aims of SCA - reducing fraud and making online payments more secure. Everyone we met was in favour of taking a principle-based approach to achieving these goals and was excited by the potential for innovation that this allows.
However, there was widespread frustration at the lack of consistency in the depth and granularity of the regulation, which some attributed to the pressure that regulators face from well-funded interest groups. In turn, this could lead to an inconsistency of implementation.
2. A readiness divide
The 14 September deadline is fast approaching and few - if any - of the online businesses we spoke to felt ready for the change. While C-suite executives seem to have recognised the size of the potential impact that SCA could have on conversion, there is a broad lack of clarity about what issuers and PSPs could (and should) be doing to mitigate this.
Businesses are also divided on their readiness to communicate to their customers. While some are actively communicating, others worry that reaching out proactively will spook their users into churning.
Many businesses are still waiting to take action on SCA and the communication approaches of those that are taking action differ widely. The reason for these differences stems from the very real worry that making the necessary changes could lead to a significant drop in conversion.
3. The customer’s point of view
As mentioned above, the point of SCA is to reduce fraud and make online payments more secure. The question is whether payers really value this over the convenience of existing checkout flows.
While we know that customers want convenience and a lack of friction, and regardless of the intentions of SCA, the new regulations add an extra barrier to successfully completing a transaction. Nobody knows for certain that customers want, or would even tolerate, more security measures than are already in place.
In a recent GoCardless survey of 1,000 payers, 45% of those asked would be ‘frustrated’ by a more secure but more lengthy checkout process when buying from their favourite brand, while an additional 23% would go as far as shopping with them less often because of it.
A common point of reference for businesses is a similar legislation rolled out in India in 2014. Local businesses reported an overnight drop in conversion of 25%. Companies affected by SCA are understandably keen to avoid a similar scenario.
The ongoing SCA conversation
With SCA likely to remain on the agenda for the foreseeable future, the best course of action is to keep the industry-wide discussion flowing, especially as more businesses begin to take note and begin developing appropriate strategies.
GoCardless will be attending Money 20/20 Europe in Amsterdam on the 3-5 June. If you’d like to talk to us more about SCA and the wider payments landscape, you’ll find us at booth K103 in Hall 1.