Europe is preparing for a big change in the way we pay when we buy online, a change that will have significant consequences for all companies in Europe. As last year, the General Data Protection Regulation (GDPR) greatly affected the way in which millions of organizations handle personal data, the entry into force of the enhanced customer authentication (strong customer authentication or SCA in its acronym in English) will have a profound impact on the way companies handle online transactions and how we pay.
As of September 14, the SCA will require an additional level of authentication to make online payments. If before it was enough with a card number and an address to do something as simple as asking for a taxi or paying for a service streaming of music, now we will have to include at least two of the following three factors: something that they know (like a password or PIN), something that they possess (as a token or a smartphone), and something that are (such as a fingerprint or biometric facial features).
Why does this happen?
The regulations are designed to protect European consumers from online fraud attempts that reach billions of euros. It is expected that Internet commerce in Europe will grow to reach the trillion dollars in 2022, and online fraud also grows with it. the European Central Bank estimates that online fraud reaches a value of 1,300 million in European cards.
However, the SCA could have a very high cost for European companies that operate online. If they are not prepared, the implementation of the new directive will generate failed transactions and this additional friction will have a very negative impact on the conversion and on your business. We are facing an economic loss that can reach 150,000 million.
What should Internet companies do to prepare?
The best thing is to prepare with time: only 25% of the merchants Europeans are aware of the changes that are coming, and many may be in the hurry at the last minute as happened with the period before the GDPR.
But make no mistake, SCA is no less complex than the GDPR. National regulators, card networks and issuing banks interpret the general EU regulations differently and have their own set of rules and policies. Also, there are payment exemptions that do not require double authentication. For most companies, this is disconcerting, but there are some general principles that should be applied when preparing for the SCA.
First, companies have to evaluate their payment experience to minimize friction with the most appropriate payment method. From biometric security in mobile wallets to regional payment methods without card and 3D Secure 2, companies can follow several ways for their customers to authenticate the transaction following the rules of SCA.
Different payment methods are more suitable for certain business models, and customer preferences will vary depending on the geography and its relationship with the business. Therefore, digital businesses must incorporate the largest number of options in their payment experience.
Second, companies must optimize their business for when they need the SCA and for when not, since SCA will not apply to all online transactions (there are exemptions for recurring payments and purchases under 30 euros). In addition, customers can create pre-approved lists with their issuing bank of those companies where they make recurring payments and thus dispense with authenticating themselves for future purchases, although it must be taken into account that the granting of exemptions ultimately falls on the bank.
For a company that operates in multiple European markets, the management of the exemptions itself would mean working directly with the local banks to understand exactly how to implement them, and there are more than 6,000 banks in Europe. Companies will have to decide whether they want to become SCA experts or find a strategic partner to help them abstract the complexity of the challenges that come with the new regulations.
How could this shape ecommerce in Europe?
But where there is risk, there is always opportunity. In the context of stricter regulations, seamless payment experiences and intelligent management of SCA exemptions will become a profound competitive advantage for Internet companies capable of executing them correctly. In a way, this can even benefit advanced technology companies that live and die by optimizing the user experience (compared to the legacy companies that are still making the transition from the offline world). This applies especially to mobile commerce, where SCA can contribute to a greater adoption of biometric security in payments with Apple Pay and Google Pay. In addition, SCA can stimulate a wave of innovation in biometric security tools and mobile payment technology here in Europe, as entrepreneurs detect gaps in the market for safer and easier-to-use authentication experiences.
Ultimately, making the Internet economy safer is important for your long-term growth prospects. As consumer confidence increases, so does the amount of expenses that are being made online. In this context, while the SCA poses a major challenge for European e-commerce in the short term, it could become an important milestone on the road to increasing online commerce in Europe, the completion of the digital single market and the increase in Internet GDP.
Borja Santos is director of Stripe Iberia