Digital businesses across the European Economic Area (EEA) and the European Union (EU) are probably already aware of the new regulations coming into place around online checkout.
Effective as of September 14, 2019, under the Revised Payment Services Directive (PSD2), the new regulations require online payment providers in the EEA and EU to implement Strong Customer Authentication (SCA) during the online checkout process. Applicable to most online payments of €30 and above, SCA is an additional layer in the online checkout flow, requiring a two-factor authentication process on the part of the payee to finalize payment.
Designed to reduce fraud, make online payments more secure and ensure the European payments market is more integrated and efficient, the regulations have emerged in response to a rising API economy that enables platforms, apps and systems to share data with each other, combined with new innovations in the digital payment market and increased fraudulent activity. The downside, though, is that a two-factor authentication process creates additional friction in the checkout flow, which has many companies concerned because of its potential to negatively affect conversion rates.
To help you keep up with the new demands and understand SCA better, Piano is working on a number of solutions that will be released before the end of the year, focused on creating more checkout options that reduce friction while maintaining regulation standards.
In the meantime, we’ve answered six common questions regarding this new regulation and the solutions and tools digital businesses can pull from to meet the new needs that are arising.
1. What is Strong Customer Authentication?
As of September 14, throughout the EEA and EU, all payer-initiated online payments for goods and services €30 and above potentially require two steps before a credit or debit card payment is authorized.
These steps are called Strong Customer Authentication (SCA), defined by the European Banking Authority as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). These must be independent from one another, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”
After the new regulations go into place, if the payer cannot provide these two forms of authentication, banks will gradually begin to decline payments. As a result, all online payment providers will need to activate checkout flows that support two-factor authentication to meet the regulation standards.
2. When does this regulation take effect and which regions does it apply to?
Effective September 14, under PSD2, Strong Customer Authentication is required for all payer-initiated transactions when both the card payer and payee are within the EEA, except within the UK, which has 18 more months before SCA activation is required. Other select regions across Europe have similar deferments in place.
For payments online with a card, SCA will apply to transactions where the business and cardholder’s bank are in the EEA, as well as to any “customer-initiated” online payments within Europe. Therefore, most card payments and all bank transfers will require SCA.
3. What will be required from the customer paying online?
Customers will pay as usual online. However, when they hit a checkout flow, they will be required to provide at least two forms of authentication before the payment is approved and finalized.
Currently, the most common way of authenticating an online card payment is through 3D Secure, which typically requires a one-time code sent to a phone, or a fingerprint authentication through a mobile banking app. The newest version, 3D Secure 2, will be the main method for authenticating payments online. It will require at least two steps of authentication.
If a customer uses Apple Pay or Google Pay, the two-step authentication is already built in via biometric or password authentication. Adding Apple Pay or Google Pay to the checkout flow is an excellent option to maintain low friction throughout the payment process.
4. Will this affect all online payment types?
This will affect most online payment types paid through a credit or debit card.
There are some exceptions to the Strong Customer Authentication regulations. Some payment providers can request these exemptions during the checkout flow and the cardholder’s bank will assess the viability of the exemption. Exemptions include:
Fixed-amount subscriptions, defined as payments to the same business, of the same amount on a particular set cadence. SCA will be implemented for the first payment and the following payments in the agreement will be exempt.
Merchant-initiated transactions, including variable subscriptions. For example, when payments are made with a saved card but the customer is not present during checkout. In this case, authentication would happen when the card information is saved or upon first payment, and will require a customer agreement or contract that details the charges.
“Low amount” transactions, defined as payments below €30. If the exemption has been used five times and the total of the previous exempt payments is over €100, banks will need to request authentication.
Corporate payments, defined as expenses incurred by an employee for a business, such as the use of a corporate card for travel expenses.
Phone sales, defined as payments processed with card details collected over the phone.
Trusted beneficiaries, defined as businesses the customer has identified that they trust and have granted the ability to avoid having to authenticate any purchase in the future.
5. As a Piano client, how would I ensure I'm compliant with the new regulations? How would I activate Strong Customer Authentication in my payment checkout flows?
You should set up a quick 20 minute call with your Account Manager, who will walk you through the process of toggling on the appropriate settings, based on the payment providers you use. Each payment provider has its own API to determine if a given transaction requires SCA (based on the merchant and browser locations), so it is not up to Piano to selectively display it.
The SCA purchase flow will be triggered automatically for the appropriate transactions.
6. What’s next? Is there anything else I need to know?
At first, expect that there may be additional friction when Strong Customer Authentication is put into effect, especially at the beginning when users are getting used to the process. This may potentially affect conversion rates. Long term, though, the regulations open up the potential to reduce friction, as device validation and biometric authentication become more common — making it easier to log in with a simple fingerprint, face scan or device tap.