Blog article
See all stories »

Thought GDPR was complex? Get ready for SCA!

Europe is bracing itself for a big shake-up in how we pay for things online, which will have significant consequences for businesses across the region. Similar to how GDPR hugely impacted how millions of organizations handle personal data when it was enforced last year, Strong Customer Authentication (or SCA) will have profound implications for how businesses handle online transactions and how we pay for things in our everyday lives when it is enforced on 14 September.

SCA will require an extra layer of authentication for online payments. Where a card number and address once sufficed, customers will now be required to include at least two of the following three factors to do anything as simple as order a taxi or pay for a music streaming service. Something they know (like a password or PIN), something they own (like a token or smartphone), and something they are (like a fingerprint or biometric facial features).

Why is this happening?

The new rules are designed to protect European consumers from billions of euros in attempted online fraud. As European internet commerce is expected to grow to $1 trillion by 2022, online fraud grows with it: the European Central Bank now estimates around €1.3 billion in online fraud on European cards each year. At Stripe, we see and prevent more than €3.5 billion of fraud attempts globally per year. Along with the six million Europeans and counting who now make their living in internet commerce, we welcome any attempt to thwart bad actors.

But SCA could come at a heavy cost for European online businesses. Without careful preparation, failed transactions and additional friction will have a significant negative impact on conversion. When similar regulation was enforced in India in 2014, some businesses reported an overnight conversion drop of over 25%. If the same were to happen in Europe’s €600 billion online economy today, we would be facing a potential economic loss of €150bn.

What should internet businesses do to prepare?

It’s best to get prepared early: With only 25% of European merchants aware of the upcoming changes, there may be a last-minute rush as we get closer to the deadline, similar to the dash many businesses made last year in the run up to GDPR.

SCA is certainly no less complex than GDPR. The overarching EU regulation is interpreted differently by national regulators, card networks and issuing banks have their own set of rules and policies, and there are important payment exemptions for when SCA is not required. For most businesses, this is bewildering, but there are some overarching principles to apply when getting ready for SCA.

Firstly, calibrate your checkout experience to minimize friction with the most appropriate payment method. From biometric security in mobile wallets to regional non-card payment methods to 3D Secure 2, there are various ways businesses can let their customers authenticate themselves in an SCA-compliant manner. Different payment methods will be more suitable for certain business models, and customer preferences will vary depending on geography and their relationship to the business. Given this, internet businesses need to build maximum optionality into their checkout experience, so the most relevant SCA-compliant payment method is dynamically surfaced depending on the context.

Second, optimize for when SCA is needed and when it isn’t. SCA won’t apply to every online transaction. There are exemptions for recurring payments and purchases under €30, for example, so give thought to the situations when you do not need to send a customer a stepped-up authentication request. What is more, customers can whitelist businesses with their issuing bank, so they don’t need to authenticate themselves for any future purchases. This is particularly important for businesses who have repeat customers. Unfortunately, granting exemptions ultimately depends on the customer’s bank. For a business operating in multiple European markets, managing exemptions themselves would mean working directly with local banks to understand exactly how to trigger them -- and there are more than 6,000 banks in Europe. Businesses will have to decide whether they want to become SCA experts themselves or find a strategic partner that will help them abstract away the complexity of the challenges that come along with the new regulation.

One might argue that the design of SCA regulation could have better accounted for the complex internet business models that are increasingly common today (such as on-demand services) as well as modern fraud risk analysis based on machine learning. But regardless of our viewpoint on it, SCA is coming, and its consequences will be hard for businesses who fail to prepare. This makes it even more important for merchants to start working on managing the upcoming additional friction and its impact on conversion rates now.

How could this shape the internet commerce in Europe?

But where there is risk, there is always opportunity. In the context of tighter rules, seamless checkout experiences and intelligent SCA exemption management will become a deep competitive advantage for internet businesses able to execute well. In one way, this may even benefit tech-forward businesses which live and die by optimizing user experience (versus legacy businesses that are still making the transition from the offline world). This applies especially to mobile commerce, where SCA may contribute to more adoption of biometric security in wallets like Apple Pay and Google Pay.  Additionally, SCA may spur a wave of innovation in biometric security tools and mobile payment technology here in Europe as entrepreneurs spot gaps in the market for more secure, more user-friendly authentication experiences.

Let’s remain optimistic. It’s not the first time Europe pioneers new standards in payments that reconcile security and convenience. Consider how it rolled out EMV standards over a decade ago to make chip and pin more or less ubiquitous on the continent, while the US is still playing catch-up to this day even. History may repeat itself with SCA. In any case, wherever Europe goes, the world and how it pays will likely follow. Australia and other markets are expected to introduce similar legislation soon.

Ultimately, making the internet economy more secure is important for its long-term growth prospects. As consumer trust increases, so does their amount of spending that is happening online. In that context, while SCA poses a significant challenge for European ecommerce in the short-term, it could turn out to be a significant milestone on the way to increasing online commerce in Europe, fulfilling the Digital Single Market, and raising the GDP of the internet. The latter happens to be our mission at Stripe, too.



Comments: (2)

A Finextra member
A Finextra member 17 May, 2019, 07:04Be the first to give this comment the thumbs up 0 likes

Great post. Very informative. Cheers, Iain.

Certainly some interesting, and likely turbulent times ahead, but here in Estonia, strong customer authentication has been in place for online purchases for years, with all the major banks using it.

When first hearing about it, I thought it sounded clunky and annoying, but since living here, I've actually found it far more convenient, as I no longer have to fill out all my card details (which means I don't have to give them to every online retailer I deal with) and I don't have to fill out reems of information fields asking for my name, address, and blood type ;).

All of this is done with the highest level of security with several EAL4+, eIDAS, PSD2 evaluated methods such as smart cards, smart SIM cards, and a tokenless mobile app (uses our technology). 

I'll write a post sharing the advantages SCA can bring to the rest of Europe. Good times ahead.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 17 May, 2019, 13:43Be the first to give this comment the thumbs up 0 likes

To prevent €1.3 billion in online fraud, EU is putting €150 billion revenues at risk. I can't believe this madness.

As I've pointed out countless times in the past 4-5years, 2FA has been a major conversion killer in India. At last, I'm glad that mine is not the only voice in the wilderness on this issue. If India's response is any indication, we can expect to see a lot of fintech activity in the EU around legitimate sidestepping of SCA.

Why Do People Obsess Over Security And Then Make Payments Without A Password?

Winners Don't Let Security Screw Up User Experience

Iain McDougall

Iain McDougall

UK & Ireland Country Manager


Member since

07 May 2019



Blog posts


This post is from a series of posts in the group:


Fintech discussions and conversations around the development of fintech.

See all

Now hiring