By Joan Goodchild, Card Not Present Staff
The looming enforcement of Strong Customer Authentication (SCA) has some businesses that rely on recurring payments concerned that the added security measure may lead to problems with processing these kinds of transactions.
SCA, an effort to move beyond passwords for online payment authentication, was introduced in Europe in September as part of the Second Payment Services Directive (PDS2). The requirements will be enforced over an 18-month phase-in period and are expected to be fully enforced by December 2020.
The mission of SCA is to reduce the incidence of payer fraud by introducing two-factor authentication on electronic payments. It will affect any applicable transaction for businesses whose payment service provider is located within the European Economic Area (EEA) and whose customer's bank or card provider is also located within the EEA. If only one of those parties is located within the EEA, the requirement is for them to use “best efforts” to apply SCA.
Many businesses, including both merchants and payment providers that assist with processing transactions, are concerned that the extra security measures will increase friction at checkout, leading to an even steeper drop-off in conversion. For the growing number of businesses implementing a subscription model, the unknowns are concerning.
“SCA will definitely have material impact on recurring credit card payments, and businesses will need to be prepared for it if/when the financial authority of the country in which they are domiciled starts enforcing SCA,” said Ethan Teng, head of growth with Recurly, a subscription management platform vendor.
Friction is never a good thing
Merchants that could be impacted are looking into ways to head off any damage before enforcement goes into effect.
“Definitely a concern—anytime you introduce friction into the payment flow you are likely to increase your abandonment rate,” said William Kelly, director of Global Payments at Constant Contact, an email marketing software and services provider.
Kelly noted Constant Contact is working with its payment processor to maximize the number of SCA exemptions that the merchant can qualify for, such as low-risk, low-value, recurring and whitelisting. They are also implementing a third-party fraud tool to keep fraud rates low and qualify for the low-risk exemption. They currently use 3DS 1.0 for two-factor authentication on a limited basis, said Kelly, but will be upgrading to 3DS 2.0.
“We do think the EU market is more open to two-factor authentication, but really have no way to assess it until we have some actual experience,” said Kelly. “Once enacted, we will monitor our abandonment rate closely. If we see a significant increase due to authentication challenges, we will likely look at additional retention efforts such as contacting customers directly who have abandoned their cart.”
What to do to prepare for SCA
Teng said businesses should contact their payment providers—credit card gateways, acquirers, subscription management partners, etc.—to understand what is needed to be prepared for SCA and comply according to the timeline for enforcement.
“Businesses will need to incorporate SCA as part of the checkout flow,” said Teng. “And, for recurring payments, mark those transactions as ‘merchant initiated’ or ‘recurring.’ The technical integration requirements for how to do this vary by provider. The consequences of not doing so are that the card issuing banks will likely decline transactions that have not been properly SCA'ed or marked as merchant initiated or recurring.”
Kelly said while Constant Contact is working diligently to prepare, it is difficult to know the true impact of the rule until it goes into effect.
“The EU sells this as a benefit to merchants due to lower fraud and higher approval rates,” he said. “I think this will vary by issuer. We may get some benefit with the larger, more sophisticated banks, but I am concerned that any lift we get in approval rate will not offset the added friction.”