On September 14, 2019, new requirements for the authentication of online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2).
In this guide, we take a closer look at these new requirements known as Strong Customer Authentication (SCA) and the types of payments that will affect them. Finally, we'll cover the exceptions that can be used on low-risk transactions to allow for a smooth transaction.
We have published a separate guide to designing payment flows for SCA to help you determine when to add authentication to your customer journey. You can also attend our webinar to see our SCA experts dig deep into the regulation, or click here for more information on Stripe's SCA-enabled products.
STAY UP TO DATE WITH A STRONG CUSTOMER AUTHENTICATION.
We work closely with politicians, regulators and the entire payments industry to make all changes as smooth as possible. Sign up to stay informed about government regulations and product updates.
HAVE BEEN NOTIFIED. What is strong customer authentication?
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To be able to accept payments after the SCA comes into effect, you need to integrate additional authentication into your checkout process. SCA requires authentication to use at least two of the following three elements.
As of September 14, 2019, banks will reject payments that require SCA and do not meet these criteria. (If you want to read the original SCA requirements, they are set out in the Regulatory Technical Standards or RTS.)
Wemakefuture helps you to implement these requirements.
When is strong customer authentication required?
Strong customer authentication applies to "customer-initiated" online payments within Europe. As a result, most card payments and all bank transfers will require SCA. Recurring direct debits, on the other hand, are considered "initiated by the merchant" and do not require strong authentication. With the exception of contactless payment transactions, personal card payments are also not affected by the new regulation.
For online card payments, these requirements apply to transactions where both the company and the cardholder's bank are based in the European Economic Area (EEA). (We expect the SCA regulation to be enforced in the UK regardless of the Brexit outcome.)
How to authenticate a payment
The currently most common method of authenticating an online card payment is based on 3D Secure - an authentication standard that is supported by most European cards. The application of 3D Secure usually adds an extra step after the checkout where the cardholder is asked by his bank to provide additional information to complete a payment (e.g. a one-time code sent to his phone or the fingerprint -Authentication through its mobile banking application).
3D Secure 2 - the new version of the authentication protocol introduced in 2019 - will be the main method of authenticating online card payments and will meet the new SCA requirements. This new version introduces better usability, which helps to minimize some of the friction that authentication brings into the checkout process.
Other card-based payment methods such as Apple Pay or Google Pay already support payment processes with an integrated authentication layer (biometric or password). This can be a great way for businesses to have a smooth checkout experience while meeting the new demands.
We also expect many popular European payment methods such as iDEAL, Bancontact or Multibanco to adhere to the new SCA rules without any significant changes in the user experience. We'll work directly with the providers of these payment methods to confirm whether any changes are required.
Exceptions to strong customer authentication
Under this new regulation, certain types of low risk payments can be exempted from strong customer authentication. Payment providers like Stripe can request these exceptions when processing payments. The cardholder's bank then receives the application, assesses the risk level of the transaction and ultimately decides whether to approve the exemption or whether authentication is still required.
Integrating authentication into your checkout flow adds an extra step that can add friction and increase customer donation. Using exceptions for low risk payments can reduce the number of times a customer has to authenticate and reduce friction. We have designed our new SCA-enabled payment products so that you can take advantage of exceptions to protect your migration.
The main exceptions for internet companies are:
Low Risk Transactions
A payment provider (like Stripe) can perform real-time risk analysis to determine if SCA should be applied to a transaction. This can only be possible if the total fraud rates of the payment provider or the bank for card payments do not exceed the following thresholds:
0.13% for exempt transactions under € 100.
0.06% for exempted transactions under € 250.
0.01% for exempt transactions under € 500.
If necessary, these threshold values are converted into local equivalent values.
In cases where only the payment provider's fraud rate is below the threshold but the cardholder's bank is above, we expect the bank to decline the exemption and request authentication.
We expect this to be one of the most useful exemptions for businesses and one of the most widely supported by banks. Stripe Radar's comprehensive real-time risk assessment enables us to support this exemption for our users.
Payments under € 30.
This is another exemption that can be used for payments with a small amount. Transactions under € 30 are considered "low value" and can be exempt from SCA. However, banks must request authentication if the exemption has been used five times since the cardholder's last successful authentication or if the total of the previously exempted payments exceeds EUR 100. The cardholder's bank must keep track of the number of exceptions and decide whether authentication is required.
Fixed amount subscriptions
This exemption can apply if the customer makes a number of recurring payments of the same amount to the same company. SCA is required for the customer's first payment but can be exempt from SCA.
We expect this exemption to be very useful for the subscription business and widely supported by European banks.
Payments with saved cards when the customer is not present in the checkout process (sometimes referred to as "off-session") can be considered as merchant-initiated transactions. Technically, these payments do not fall within the scope of SCA. In practice, marking a payment as a "trade-related transaction" will be similar to applying for an exemption. And as with any other exemption, it is up to the bank to decide whether authentication is required for the transaction.
In order to use merchant initiated transactions, you must authenticate the card either when saving or when making the first payment. Finally, you need to obtain consent (also known as a "mandate") from the customer in order to top up their card at a later date.
This will be a major use case for business models that rely on late payments, variable amount subscriptions, or invoices for add-ons. We expect it to be supported and accepted by most European banks if the transaction is classified as low risk by the bank.
Trusted Beneficiaries When customers complete authentication for a payment, they may have the option to whitelist a company they trust to avoid having to authenticate future purchases. These companies are placed on a "Trusted Beneficiary" list maintained by the customer's bank or payment service provider.
While whitelisting has the potential to make repeat purchases or subscriptions more convenient for customers, the acceptance of this function by banks has so far only developed slowly. We do not anticipate that it will be fully implemented by the banks by September 2019, but we will support this exemption for our users as soon as it becomes available.
Telephone sales
Card data collected over the phone does not fall within the scope of SCA and does not require authentication. This method of payment is sometimes referred to as "Mail Order and Telephone Orders" (MOTO). Marking a payment as a MOTO transaction is similar to requesting other exemptions, with the cardholder's bank making the final decision on whether to accept or reject the transaction.
Company payments according to SOC
This exemption can include payments with "stored" cards (e.g. when a company card used to manage employee travel expenses is held directly with an online travel agency) and payments with virtual card numbers (which are also used in the travel sector) .
We expect this exemption to have little practical use due to its very narrow scope outside of the travel industry. The exemption itself can only be requested from the cardholder's bank, as neither the company nor payment providers (such as Stripe) can tell whether a card falls into these categories.
What if an exemption fails While exceptions will be very useful, it is important to remember that it is ultimately the cardholder's bank that decides whether or not to accept an exception. Banks are returning new rejection codes for payments that failed due to lack of authentication. These payments must then be retransmitted to the customer with a request for strong customer authentication. Stripe's SCA-enabled products automatically trigger this additional authentication when required by banks.
If your company is affected by SCA, we recommend preparing for a relapse in case an exemption is denied and your customer needs to authenticate. This is especially important when you are charging your customers when they are not active in your checkout flow (when they are out of session) and your customer needs to return to your website or app to authenticate. For more information, see our guide to designing payment flows for SCA.
How wemakefuture helps you prepare for strong customer authentication.
The changes introduced by this new regulation will have a major impact on e-commerce in Europe. Affected companies that do not prepare for these new requirements could experience a significant drop in their conversion rates after the implementation of SCA on September 14th.
In addition to supporting new authentication methods like 3D Secure 2, we believe that successfully handling exemptions will become a key component in building a great payment experience that minimizes friction. We anticipate that there will be differences in the way national regulators and even individual banks support exemptions and develop solutions to handle this complexity for you.
We'll help you integrate a new API for basic payments called Payment Intents for your shop, which uses Stripe's SCA logic to apply the correct exemption and trigger 3D Secure if necessary. The new Checkout from Stripe and Stripe Billing are both based on this API and can use 3D Secure dynamically if necessary.
Learn more about the SCA-enabled products from wemakefuture.com
Cloud Integration, iPaaS, SaaS, BPA… Ough, hard to keep track of all these terms. They are currently used frequently (and increasingly) in the context of automation, and it is sometimes difficult to make a clear distinction and distinction. We have already written blog posts on the terms iPaaS, SaaS and BPA, but we’ll take them up again here to make the difference.
But let’s start with cloud integration, because that’s the central umbrella term in which we embed all the other technologies in this blog post.
Arrange a free cloud integration consultation now
Arrange a free cloud integration consultation now
To illustrate these advantages, an example is suitable that we know well from our everyday work as an automation agency:
The central data to be used here is the data of a major customer. This can be the simplest information, such as the address. This address is required in numerous but completely different processes in the company: on the one hand, for correct invoicing in accounting. On the other hand, in the CRM system, where all the data of the large customer is also stored. But the address is also important in sales, for example, when employees go to the sales meeting on site.
Now the customer announces that the address of the company has changed after a move. This information will reach you by e-mail. There are now two options:
01. The e-mail is forwarded to all affected departments, accounting, sales, customer service, marketing… All persons open their corresponding program, CRM, accounting software, marketing tools (such as newsletter marketing) and change the data already stored there of the customer. This means that in multiple applications, different people do exactly the same thing: change one address.
02. But there is also an alternative: By connecting your applications, thus by integrizing them, the customer’s e-mail, or rather the information it contains about the address change, is automatically passed on to all affected applications: CRM, accounting, marketing, ERP. This does not require any clicks, because the cloud integration detects a trigger, i.e. address change, and thus automatically starts the process.
What sounds unimpressive in a single process becomes more effective when such a process occurs several times a day or weekly. Because there is a lot of data that is available in different applications and should always be correct. If these applications are cloud applications they are suitable for cloud integration.
But cloud integration doesn’t just happen. There are now a variety of applications that enable and implement this. Such tools usually allow us to link the relevant cloud applications on a central platform and define clear rules on when, how, where, how much data should be passed on and what happens to them.
To realize cloud integration, there are various applications and technologies that are sometimes used interchangeably.
We have made a first distinction between iPaaS and BPA here.
We explain the term SaaS in more detail here.
Cloud integration is rather an umbrella term that includes numerous technologies, such as SaaS, iPaaS and BPA, and this is also absolutely necessary. Cloud integration is a concept that is made possible by appropriate technologies.
However, all terms share the commonality that they are cloud-based and thus offer enormous potential for growth and scaling. In addition, they are often cheaper to implement and maintain because changed requirements are easy to implement.
As an independent automation agency, we implement cloud integration according to your requirements. We use a variety of SaaS tools and iPaas (strictly speaking BPA) software. Together we find individual solutions that are flexible and scalable.
