Payments are changing in the EU.

The same way the EU changed everything in 2018 with the infamous GDPR, a new regulation going into affect this September that will also be massively important for online businesses. Not caught up to speed? No worries. We'll break it down.

Meet "Strong Consumer Authentication" (SCA)

Back in December of 2015, the European Union published the Second Payment Services Directive (or PSD2 for short). This new directive follows the first iteration, published back in 2009. PSD2 started having an effect on companies back in January 2018, but for business owners, it didn't mean much of a change right away (unless you're a bank, that is.)

However, starting on September 14th, 2019, some new rules are going to come into play that will affect how online stores are allowed to process payment data. SCA is designed to mitigate fraud in the online space by requiring payment processors to do some extra safety checks when checking out a customer. This means that users will need more than just their credit card number, a security code, and their expiration to get their pizza delivery.

AMEX business credit card

There are three ways to safely authenticate a user that have been adopted as the industry standards. The SCA requires the user to verify their identity using at least two of these three methods before payment is allowed to be completed:

  • Using something the user KNOWS. This could be something like a password, PIN, or security question.
  • Using something the user HAS. Like a mobile phone, smartwatch, or 2FA device (like YubiKey)
  • Using something the user IS. Usually refers to biometrics like a fingerprint or facial recognition verification

It is the responsibility of the payment processors to support SCA, but it ultimately falls on you, the site owner, to ensure your payment flows have been updated to support this new requirement. But why is that?

What happens if I don't support SCA on my store?

The same thing that happens when users supply invalid payment info currently. Starting on the September 14th deadline, banks covered by PSD2 will begin to reject payments that fail SCA verification. This means that if your site isn't up to date, your users can't pay or finish their checkout.

Why? Think of it this way: When you checkout a user without SCA, your site is currently speaking one language. The customer's bank tells your site it needs to do something, but it's in another language that your site can't understand. The payment won't be able to finish, and it'll just fail. You risk your customer leaving, thinking your business just has a broken site. The work that needs to be done to get your site to support this new regulation is making sure your site understands the instructions the bank is going to start telling it come September.

How do I support SCA?

The general industry consensus is 3D Secure 2, the new version of the already widely used protocol. This implementation will add a step directly after payment entry where the user will be prompted to complete a security step, enforced by their bank or card issuer. You'll need to check with your payment processor to see the exact steps that are necessary to ensure you're ready. (Keep reading if you need help with that!)

Are all payments required to use SCA?

Not all. There are some exemptions that users may not need to do the extra verification step for, but this varies based on how each bank decides to implement their new security protocols:

  • If the total value of the transaction is less than €30
  • If the customer has a subscription with you for the same amount every month
  • Payments initiated by you, from a saved card (or "tokenized card"), assuming the card already passed an SCA check the first time the card was charged or saved
  • If the customer "whitelists" your business with their bank for future purchases

How Melon Development can help prepare you for SCA compliance.

Many payment processors like Stripe have already announced that it will be up to businesses to ensure compliance by September 14th, or they will see a spike in declined transactions. This may sound like a long time away, but when the lifeline of your business is potentially at risk, this is not something that can be ignored.

Preparing for SCA may mean that your checkout flow needs to be updated, changed, or remade entirely. This can be extremely stressful if you don't have developers handy or your site was made by someone else a long time ago.

Drop us an email.

We'll review how your site works, determine what you need to have changed, and ensure your site future-proof for when this new regulation hits. You don't want to risk going down for any period of time if you can help it, so make sure you're prepared.

Get in touch today.