SCA: What the new European PSD2 law means for subscription businesses
Last editedJan 2020 3 min read
What is SCA regulation?
For the most up-to-date analysis and guide to SCA, view The complete guide to SCA for businesses
In September 2019, Strong Customer Authentication (SCA), a new regulation for authenticating online payments, will be rolled out across Europe, as part of the Second Payment Services Directive (PDS2).
One of the key aims of SCA is to reduce the incidence of payer fraud and increase security, by introducing two-factor authentication on electronic payments.
Learn more about how SCA works.
What kind of transactions are affected by SCA?
SCA comes into force on 14 September 2019, and will affect any applicable transaction for businesses whose payment service provider is located within the European Economic Area (EEA) and whose customer's bank or card provider is also located within the EEA. If only one of those parties is located within the EEA, the requirement is for them to still use 'best efforts' to apply SCA.
(Note: On 13 August 2019 the Financial Conduct Authority (FCA) confirmed that enforcement of SCA in the UK will include a phased 18-month implementation, starting on 14 September 2019 and ending March 2021.)
SCA does not apply to GoCardless’ Direct Debit payments service. GoCardless is fully PSD2 compliant, and SCA does not apply to payments made through GoCardless as it uses 'paperless' Direct Debit mandates, which are out of scope of SCA.
So, what transactions are affected by SCA?
The main type of transactions that will be impacted are card payments made over the internet. As of next year, all single electronic payment transactions will need to be authenticated by at least two of the three following methods:
Knowledge: something only the user knows, such as a password.
Possession: something only the user possesses, such as a token or mobile phone.
Inherence: something the user is, such as a biometric element (e.g. fingerprint recognition).
According to Mastercard research, just 1-2% of UK online transactions require cardholder authentication to ensure completion (most likely using a password), but this is set to rise to up to 25% from this autumn.
SCA will also apply to some contactless transactions, as a periodic check to ensure the card is being used by its rightful owner. In-store chip and PIN transactions are already compliant.
Exemptions to SCA
Several exemptions and out of scope transactions exist under SCA. These have the potential to benefit businesses with recurring revenue. Notable exemptions or out of scope transactions include:
Merchant-initiated transactions
Fixed recurring transactions and subscriptions
Transactions below €30
Trusted beneficiaries (whitelisting)
Corporate payments
Low risk transactions
For more information, see our detailed list of all key SCA exemptions.
Where do subscription businesses stand?
For subscription businesses taking recurring payments by card, SCA will apply at least to the initial setup of the Continuous Payment Authority for the recurring card transaction. For recurring payments of the same amount, SCA will not need to be applied again. If this amount changes, SCA will typically need to be applied again, unless the payment is initiated by the merchant and the amount being charged is within reasonable expectations of the customer.
In most cases it will be the payer’s bank that facilitates the authentication, with the payer’s payment service provider facilitating the additional steps in the payment journey. Though where this is not the case, payment service providers affected by the regulation (e.g. card providers) will be expected to provide the authentication mechanisms themselves.
The impact on business
Any initiative to tackle the serious problem of fraud should be welcomed, especially since the e-commerce revolution shows no signs of slowing down.
Almost five million people in the UK had money stolen from their bank or credit card account last year, according to Compare the Market. Around £2 billion was taken from about one in ten people in the UK, with online payments being the weakest link – over a quarter of frauds took place online last year.
But the impact of SCA is likely to be felt more widely than in fraud incidence numbers. It could also impact costs and conversion for businesses, says Duncan Barrigan, GoCardless’ VP, Product.
“We’re yet to see the full impact of SCA, but the implications are potentially significant. Businesses are likely to see fewer customer chargebacks, and therefore potentially a reduction in operating costs.”
“Though they could see cost increases elsewhere,” he adds. “For example, if we see a liability shift, where the payer’s service provider is liable for fraud and chargeback costs, we could feasibly see increased fees as a result.”
Balancing risk and conversion
While the implications on operating costs are not yet clear, many businesses are concerned that SCA could be a conversion killer.
Additional payment authentication can introduce friction to customers’ online journeys by requiring additional steps in the payment process.
“For businesses taking payments online, there is a continual balancing act between risk and conversion,” says Duncan. “At the extremes, you could have the most friction-free offering out there; this would be completely open but also vulnerable to fraudsters. Or you could create the most secure service in the world. Ultimately, however, the barrier to entry would be so high that no one would want to use it. It’s important to find the right balance for each business.”
Learn more about how your customers will react to additional security measures.
What SCA means for GoCardless
As we mention above, SCA doesn’t apply to GoCardless’ Direct Debit payments service, and GoCardless is fully PSD2 compliant. We continue to take security and fraud prevention seriously, and GoCardless’ Risk and Product teams are committed to getting the balance between conversion and security right for our customers.
“We believe that technology and data can make it possible to improve the trade-offs merchants face between risk and conversion,” says Duncan. “At GoCardless, we’re working on a payment experience that will enable our customers to benefit from these advances whilst being able to adjust their risk appetite, to suit their business needs.
“Finding a way to reduce risk intelligently with the smallest possible negative impact on conversion rates is the best pay off for everyone involved.”
Fore more information on SCA, see our FAQs.