It has been nearly a year and a half since the Payment Service Directive 2 went into force. It has been a game changer and opens the door for many new fintech start-ups to offer new innovative services. However, many people do not know that a big chunk of PSD 2 has not been implemented yet: namely the Strong Customer Authentication(SCA).  It puts forward new requirements for authenticating online payments. Starting from 14 September 2019 banks would decline payments that do not meet the new rules. We would examine if this is something that online businesses should be worried about.

What is Strong Customer Authentication(SCA)?

Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. In order to achieve this the EU has put forward 3 methods of authentication:

  • Something the customer knows(e.g PIN code, Password)
  • Something the customer has ( Mobile phone or other physical devices)
  • Something the customer is (e.g Biometrics: fingerprint, face recognition)

In order payment to be accepted authentication has to be carried out via 2 of the above-mentioned elements.
Here is a real-life scenario: Customer wants to buy sneakers from an e-commerce shop. According to the new rules at checkout, he would need to approve the transaction — for instance by receiving a push notification from their bank or scanning their fingerprint on their smartphone bank app. Failing to do so would result in a rejected transaction.


We should mention that certain payments would be exempted from the SCA

  • Low-value transactions that total less than 30 Euros. This is limited to 150 euros, meaning that after 5 transactions you would still need to do authentication.
  • Recurring transactions – Merchants offering subscription must apply SCA on only the first transactions, as long as the following charges are for the same value.
  • Trusted Beneficiaries or merchants that are whitelisted by a consumer.

How does it affect my e-commerce store or online business?

Ultimately the responsibility of SCA would fall to the shoulders to the banks and the payments service provider (PSP) that supports your online store.

However,  that does not mean you won’t be affected.  The single biggest thread is the drop in conversion rates in the short term after 14th September. Shopping cart abandonment are already one of the biggest challenges in the business.  If a customer needs to do a few extra steps to complete their purchases or his transaction is constantly declined: it is likely that some of them would leave the site prematurely. That would result in big overnight loses

‘’Europe’s Online Economy is set to Lose €57bn from SCA” 451 Research  Report

The fact is that Europe is not a pioneer in such type legislation. Back in 2014 India enforce similar legislation.  Some businesses reported an overnight conversion drop of over 25 per cent overnight.

Despite the short-term troubles, Strong Customer Authentication (SCA) would have a positive impact on the long term. The regulation would battle the fraudulent transactions.  Businesses are likely to see fewer customer chargebacks and hence potentially a drop in operating costs.

How to prepare my online business for SCA?

Now that we know that SCA could have a significant effect on your online business, here are some steps that you could take to make sure you are adequately prepared:

  • Start Early: SCA would enter into force from 14th September, the earlier you start preparing the better. Everybody will be flocking to their bank and PSP at the beginning of September, so evade the queues.
  • Contact your Payment Service Provider and ask him about how is he preparing for the SCA.  He would advise and guide you if you need to update any software.
  • Research what products that your PSP offer. Many big PSP like Stripes, Adyen etc offer complimentary products and API’s to mitigate the risks of SCA.
  • Examine your customer journey,   make it as frictionless as possible. (See picture below)
  • Take advantage of the exemptions listed above.  The online business who could enforce as the minimum allowed authentication as possible would have a generally competitive advantage. The problem is that acceptance depends on customers bank and card networks. It would be hard to negotiate with them, so the PSP again may be your go-to place.

The Strong Customer Authentication (SCA) would affect a lot of online transactions in the EU starting in September 2019. Although it would bring some short term pain to online businesses, it would address the issue of billions of Euros lost in frauds. By timely following some of the steps above, you would probably evade a big drop in sales overnight.