New EU regulation will make or break internet businesses.
The biggest revamp to European ecommerce in a decade is right around the corner, yet recent estimates alarmingly suggest that only a quarter of European merchants are aware of the upcoming changes.
In September this year, Strong Customer Authentication (SCA) will be enforced in Europe -- this will have far-reaching ramifications for how businesses accept payments online by introducing an extra layer of authentication at the digital checkout. Similar to the impact that GDPR had on how organisations handle personal data, SCA will have an unforetold impact on how businesses handle online payments.
SCA mandates that all online transactions above €30 will need to be doubly verified using something the customer knows (a PIN or password), something they have (such as a smartphone), and something they are (biometric facial features or a fingerprint). In other words, plugging in a card number and address will no longer be enough for completing even the simplest of payments – such as booking a train ticket or buying new clothes online.
Commerce is shifting online, and with it comes fraud. In fact, the European Central Bank now estimates around €1.3 billion in online fraud on European cards each year. The upcoming regulation has been designed with the objective of minimizing online fraud and protecting the millions of European consumers who buy online every day. We welcome any attempt to thwart bad actors and minimize online fraud; in fact, Stripe prevents more than €3.5 billion of fraud attempts globally per year.
SCA could have major unintended consequences, seriously impacting online businesses and their bottom line. Careful planning is essential to become compliant (non-compliant transactions will simply be declined by the cardholder’s bank) and minimize the impact on conversion. When a similar regulation was introduced in India in 2014, some businesses reported an overnight conversion drop of over 25%. If the same were to occur in Europe’s €600 billion online economy, the continent would be facing a potential economic loss of €150bn.
However, there’s a silver lining to the SCA clouds. The stricter rules will mean that streamlined checkout experiences and careful SCA exemption management will become a major competitive advantage for internet businesses that execute the change well. SCA may also contribute to the greater adoption of biometric security in wallets (Apple Pay and Google Pay) and encourage a wave of innovation and investment in mobile payment technology here in Europe.
Like GDPR, national regulators, card networks and issuing banks all interpret the overarching EU regulation differently. There are also some key exemptions for when SCA is not required. Despite the complexity, there are some overarching principles to consider.
Firstly, the checkout experience should be aligned with the most appropriate payment method. From regional non-card payment methods, to 3D Secure 2, to biometric-enabled mobile wallets, there are several ways that businesses can let customers authenticate themselves. Different payment methods will be more suitable for certain business models, and customer preferences will vary depending on geography and their relationship to the business.
Secondly, businesses should apply SCA-compliant payment flows only when they’re needed as the new rules will not apply to every online transaction. There are exemptions for recurring payments and purchases under €30, so consider the situations when you do not need to send a customer a stepped-up authentication request. Customers can also whitelist businesses with their issuing bank, removing the need for SCA. That being said, granting exemptions ultimately depends on the customer’s bank. This means that for businesses operating in multiple European markets, managing exemptions themselves would mean working directly with local banks (there are 6,000 of them in Europe) to understand exactly how to trigger them.
Ultimately, businesses must decide whether they want to become SCA experts or find a strategic partner to help them overcome the complex challenges resulting from the regulation.
Europe is pioneering new payment standards, will the world follow?
While there is concern about the short-term impact, there are reasons to be optimistic about the long-term prospects of ecommerce in Europe. Europe has long been a pioneer in e-commerce innovation (consider the roll-out of EMV standards over a decade ago, while the US is still playing catch up today even) and SCA may be another example of the world following in Europe’s footsteps. More broadly, making the internet economy more secure is essential for its long-term growth. As consumer trust increases, so does online spending. While SCA poses a major challenge for European ecommerce in the short-term, it could turn out to be a significant milestone on the way to increasing online commerce in Europe and raising the GDP of the internet.