Q&A: What is SCA and what will it mean for ecommerce?

New rules to cut card fraud are fast approaching. But what does it mean for online shopping?

The price of more secure online payments is likely to be a little bit more hassle for consumer and retailers. Photograph: iStock

The price of more secure online payments is likely to be a little bit more hassle for consumer and retailers. Photograph: iStock


We’ve all been there: filled an online shopping cart, gone through the checkout process and submitted your payment information. Job done. Suddenly you found yourself redirected to Verified by Visa, an additional security step to approve your online payment, where you promptly forgot the password you signed up with the last time you used the system several months before. A few wrong passwords later and your cart is abandoned.

The system is designed to protect consumers, retailers and card issuers from fraud, but genuine transactions were inevitable collateral damage. Not every retailer used the additional layer of security but new regulations coming in the next few months will require most online payments to be subject to stronger authentication.

It’s not quite as bad as it sounds though.

What exactly are the new regulations?

Part of the Revised Payment Services Directive (PSD2) published in 2018, Strong Customer Authentication (SCA) is intended to make payments more secure, requiring online sellers to implement more stringent methods of ensuring the payments they are taking are genuine. The rules, which come into effect on September 14th, mean customers will have to approve online payments through a second level of authorisation where the cardholder’s bank and the business accepting the transaction are located in the European Economic Area.

Under SCA, companies will have to verify a customer’s identity by two of the three following elements: something the customer possesses – i.e. the credit card, mobile device or smart card; something only the user knows, such as a password or PIN; and something that the user is, which means biometrics such as a fingerprint or facial scan.

Essentially, it brings it closer to in-person payments, where having the card and knowing the PIN satisfies two of those three elements.

Don’t they already have that in place?

Some online retailers use 3DSecure such as Verified by Visa and Mastercard Identity Check. But many more businesses will be required to use SCA for online payments. That requires a degree of preparation from the retailer, payment processors and banks.

The updated version of 3DSecure, which is expected to be adopted by European banks before the SCA D-Day in September, promises to be less frustrating for consumers to use, which is good news for anyone who has struggled with the systems in the past. Not only does it ditch the password-only option, allowing customers to use biometrics and tokens to approve the payments, it is also designed to be mobile friendly.

What does it mean for consumers?

Despite the changes to make 3DSecure easier to use, the new SCA system could lead to frustration when making payments online. That extra layer of security is meant to protect both consumers and retailers from fraudulent payments, but it also makes shopping online a little more complex. There will now be an extra step in the checkout process where customers will have to enter codes or use biometric authentication through their banking app to approve the payment.

Of course, there will be exemptions under the scheme.

What do you mean by “exemptions”?

Not every payment will be subject to the new rules. For example, recurring payments or those under €30 will usually fall outside the scope of the regulations. The former will be authenticated when the customer initially signs up for the service.

However, getting exemptions is not a straightforward process, and neither are exemptions guaranteed. As with the tap and go system with contactless cards, some payments that, on the face of it, would be exempt may not be because the customer has made five payments under the €30 threshold in a row, or because the total previous exempted payments made by the customer has exceeded €100.

What does it mean for retailers?

Retailers will have to ensure their payments systems are upgraded prior to the deadline for SCA, integrating 3DSecure to their checkout process. How simple that is will depend on each business’s set up. Much of the changes brought about under SCA, including navigating the exemptions, can be handled by payment processors such as Stripe, PayPal or WorldPay.

However, there are concerns that retailers stand to lose out if consumers aren’t aware of the changes. Frustration with completing payments could mean more abandoned shopping carts.

Consumers will have to make the appropriate security arrangements such as providing their phone number to their bank for SMS authentication, or approving the use of their fingerprint. And, according to some industry experts, it will require changes to how some retailers charge their customers.

One issue is that exemptions are not guaranteed. For example if the payment is sent for authentication after the customer has left the site – for instance, where a free trial expires and automatically becomes a recurring payment for a service – and it is declined, it will require the customer to return to the site to approve the payment. Failure to do so will nullify the transaction.

Smaller retailers may be seen as more vulnerable to losing money due to abandoned shopping trips, but larger companies such as Amazon will also have to make changes to adhere to the new regulations. What does that mean for the one-click ordering process that Amazon has perfected?

It’s not clear, although Amazon told the Financial Times it was finalising its own preparations.

How ready is the industry for these new regulations?

It depends on what you mean by ready. Payments companies such as Stripe and WorldPay are changing their products to take account of SCA and look after the exemptions, which will make it easier for retailers to deal with.

But if the research published on Tuesday by Stripe is accurate, only around half of retailers are confident they be prepared by the time the September deadline comes around.