SCA: What the new European PSD2 law means for subscription businesses
In September 2019, Strong Customer Authentication (SCA), a new regulation for authenticating online payments, will be rolled out across Europe, as part of the Second Payment Services Directive (PDS2).
One of the key aims of SCA is to reduce the incidence of payer fraud and increase security, by introducing two-factor authentication on electronic payments.
What kind of transactions are affected?
The regulation comes into force on 14 September 2019, and will affect any businesses offering online access to payment accounts in Europe, or taking electronic payments, where the payment is initiated by the payer.
SCA does not currently apply to GoCardless’ Direct Debit payments service. That’s because payments through GoCardless are initiated by the payee and payment mandates are set up without the payer directly interacting with their bank.
So, what transactions are affected by SCA?
The main type of transactions that will be impacted are card payments made over the internet. As of next year, all single electronic payment transactions will need to be authenticated by at least two of the three following methods:
- Knowledge: something only the user knows, such as a password.
- Possession: something only the user possesses, such as a token or mobile phone.
- Inherence: something the user is, such as a biometric element (e.g. fingerprint recognition).
According to Mastercard research, just 1-2% of UK online transactions require cardholder authentication to ensure completion (most likely using a password), but this is set to rise to up to 25% from this autumn.
SCA will also apply to some contactless transactions, as a periodic check to ensure the card is being used by its rightful owner. In-store chip and PIN transactions are already compliant.
Where do subscription businesses stand?
For subscription businesses taking recurring payments by card, SCA will apply at least to the initial setup of the Continuous Payment Authority for the recurring card transaction.
Ahmed Badr, GoCardless General Counsel, explains: “Come September, subscription businesses taking card payments will find that new customers must go through additional SCA authentication steps in order to complete the first payment. There is some debate as to whether SCA will apply every time the card is then charged – current guidance from the UK Financial Conduct Authority suggests it won’t, although it remains to be seen how other EU regulators approach this.”
In most cases it will be the payer’s bank that facilitates the authentication, with the payer’s payment service provider facilitating the additional steps in the payment journey. Though where this is not the case, payment service providers affected by the regulation (e.g. card providers) will be expected to provide the authentication mechanisms themselves.
The impact on business
Any initiative to tackle the serious problem of fraud should be welcomed, especially since the e-commerce revolution shows no signs of slowing down.
Almost five million people in the UK had money stolen from their bank or credit card account last year, according to Compare the Market. Around £2 billion was taken from about one in ten people in the UK, with online payments being the weakest link – over a quarter of frauds took place online last year.
But the impact of SCA is likely to be felt more widely than in fraud incidence numbers. It could also impact costs and conversion for businesses, says Duncan Barrigan, GoCardless’ VP, Product.
“We’re yet to see the full impact of SCA, but the implications are potentially significant. Businesses are likely to see fewer customer chargebacks, and therefore potentially a reduction in operating costs.”
“Though they could see cost increases elsewhere,” he adds. “For example, if we see a liability shift, where the payer’s service provider is liable for fraud and chargeback costs, we could feasibly see increased fees as a result.”
Balancing risk and conversion
While the implications on operating costs are not yet clear, many businesses are concerned that SCA could be a conversion killer.
Additional payment authentication can introduce friction to customers’ online journeys by requiring additional steps in the payment process.
“For businesses taking payments online, there is a continual balancing act between risk and conversion,” says Duncan. “At the extremes, you could have the most friction-free offering out there; this would be completely open but also vulnerable to fraudsters. Or you could create the most secure service in the world. Ultimately, however, the barrier to entry would be so high that no one would want to use it. It’s important to find the right balance for each business.”
What SCA means for GoCardless
As we mention above, SCA doesn’t apply to GoCardless’ Direct Debit payments service, but we continue to take security and fraud prevention seriously. GoCardless’ Risk and Product teams are committed to getting the balance between conversion and security right for our customers.
“We believe that technology and data can make it possible to improve the trade-offs merchants face between risk and conversion,” says Duncan. “At GoCardless, we’re working on a payment experience that will enable our customers to benefit from these advances whilst being able to adjust their risk appetite, to suit their business needs.
“Finding a way to reduce risk intelligently with the smallest possible negative impact on conversion rates is the best pay off for everyone involved.”
Fore more information on SCA, see our FAQs.