Strong Customer Authentication: online retailers must move quickly

Dec 20, 2018

On 14 September 2019, a significant change to online payments will come into effect across the UK and Europe. The problem: retailers are unprepared for it. GDR’s Charlie Lloyd spoke to Mark Beresford, director and head of Retailer Payments Practice at the payments consultancy Edgar, Dunn & Company, to learn more about Strong Customer Authentication (SCA) and the dangerous implications for retailers that don’t act now.


Mark Beresford

What is SCA?

Strong Customer Authentication (SCA) is a new requirement for remote online payments that forms part of the EU’s Second Payment Services Directive (PSD2). Since 13 January 2018 we’ve been in a transition period, during which retailers and banks must make the necessary preparations ahead of 14 September 2019, the date from which SCA will be enforced.

Ultimately, what it means is that consumers will no longer be able to pay for things online with a debit or credit card without two-factor authentication. Two forms of authentication must be provided from three permitted categories. The first covers things that the consumer knows, ie a secret code, token or PIN number, the second covers what the consumer owns, ie his/her debit card or smartphone, and the third are things that the consumer is, which involves using technology such as fingerprint, iris, face, or voice recognition. A card payment with a password will no longer be sufficient because this ticks off one, not two, of these forms of authentication.


What types of payments will be affected?

SCA will most heavily impact single online transactions. Recurring payments such as subscriptions and direct debits will be exempt, as will contactless payments on public transport. Other contactless payments will continue to work in the same way as they do currently, for the first five transactions per day, or up to a value of £89 (€100), at which point the customer will have to enter their PIN.

However, the greatest changes will occur in standard online transactions. Low value online transactions, i.e. under £27 (€30) are exempt, but most online transactions are above that value – airline tickets, groceries, clothes, concert tickets, etc. Currently, if a merchant has a consumer’s card on file, they can usually take payment from them seamlessly via one-click payment. Uber, for example, has a customer experience predicated on exactly this type of frictionless ordering. Because of the necessity of two-factor authentication, this payment journey will no longer be acceptable under PSD2. The customer will most likely be required to enter a one-time code together with one other form of authentication, such as biometric identification, before the payment is approved. The same applies to buying clothes or anything else online, unless it’s through a subscription model, which is exempt. A Netflix subscription, for example, would require SCA for the first transaction but all subsequent monthly payments would be exempt.


What will happen if retailers don’t comply?

Because of these changes, retailers really won’t have a choice. Right now, the decision about whether anything other than the customer’s card details is required to complete a payment is the retailer’s, but from 14 September 2019 it is the issuing bank, not the retailer, who makes the call. Liability will shift from the merchant to the issuing bank too, but only if the merchant has implemented the proper SCA measures. It will therefore be imperative to those banks that any payments deemed to fall foul of SCA are declined. That means that if retailers haven’t implemented the necessary changes to their systems by the deadline, their ecommerce businesses will fall off a cliff. Or at the very least, confuse consumers during the online checkout process.


Are online retailers moving fast enough?

Beyond a handful of major players there seems to be a seriously worrying lack of awareness about SCA and its implications among retailers. The preparatory process for something like this takes months. When SCA is enforced each customer transaction will have to pass through two stages of authentication, in coordination with a Payment Service Provider (PSP) or payment gateway, then through the acquiring bank, then through to the issuing bank, and all of this needs to be tested. Any online retailer that hasn’t begun the process of getting ready for SCA really needs to begin immediately.


Mark Beresford is a director at Edgar, Dunn & Company (EDC) and has more than 25 years of experience in the payments sector. He is responsible for the firm’s practice working with omnichannel merchants and payment service providers across the globe. See for more details.

News & insights straight to your inbox!