By 2022 European ecommerce is expected to grow to $1 trillion. This means an increase in online fraud, as well. According to the European Central Bank’s estimations, online fraud on European cards may amount to €1.3 billion a year.
In January 2018, the EU Payments Services Directive (PSD2) came into effect, bringing in new laws designed to protect its consumers.
What is SCA (Strong Customer Authentication)
SCA is part of PSD2 that requires changes to online payment authentication for European customers. Card transactions for over €30 will require 3D secure authentication, which will change the checkout user experience by adding an extra step to it.
The SCA requirement came into force on September 14, 2019. However, with the approval of the European Banking Authority, several EEA countries delayed its implementation, with a final deadline set for December 31, 2020.
How does Strong Customer Authentication work in practice
Following the SCA guidelines, card transactions need to be carried out more securely using two of three forms of customer authentication laid out in the Regulatory Technical Specifications (RTS).
This means that typing in card details at checkout will no longer be enough to make an online purchase for European citizens. They will need to additionally confirm their identity by something they know (a password or PIN number), something they have (a mobile device), or something they are (fingerprint or biometric facial features).
Three authentication factors outlined in the RTS are:
- Knowledge: Something you know, typically a password or PIN.
- Possession: Something you have, such as a device or credit card.
- Inherence: Something you are physically, typically a fingerprint or other biometric.
This will require changes to the checkout process, which will now require the following steps:
- Payment initiation – customers fill out their card details
- Dynamic authentication triggering – if needed, 3D secure is applied
- Payment completion – once the customer’s identity has been confirmed, their card can be charged
How SCA affects online retailers
Merchants are affected by SCA if their ecommerce business:
- is based in the European Economic Area (EU countries + Norway, Iceland, and Liechtenstein)
- serves customers in the EEA
- accepts card payments
Some kinds of transactions are exempt from SCA requirements. This includes low-value payments (under €30, however, 3D secure will be required every 5th transaction or when the total value of transactions made by one customer exceeds €100), B2B payments (provided that they use payment methods dedicated to transactions between businesses), most subscriptions and recurring payments.
The responsibility for implementing Strong Customer Authentication falls on banks and card issuing companies. Therefore, payments that fail to meet SCA requirements will be declined by the customers’ banks. Retailers who do not adhere to this regulation might simply lose revenue and customers who, after a few failed payment attempts, will most probably go to the competition.
In order to make sure that your ecommerce is ready for the SCA final deadline, check if the payment methods in your store enable 3D security. You might need to contact your payment provider to see what (if any) work you need to do to support Strong Customer Authentication.
Spree Gateway supports Stripe SCA
We’re happy to announce that Stripe SCA support was added to Spree Gateway. If you’re using Stripe and want your Spree store to be SCA compliant, update the spree_gateway gem to 3.9.0 version, and switch on the intents preference for Stripe Elements payment gateway to true. And that’s it!
In February 2020, 3DS 2.0 support was released for the Braintree v.zero extension (version 3.5.0) for Spree Commerce.