Strong Customer Authentication and How It Could Impact Your Business

Written by on 29th July 2019

Consumers around the globe increasingly embrace e-commerce due to the speed, ease, and convenience of shopping online. 

However, these benefits come at a cost.

As a merchant, for example, it’s very difficult to verify the identity of shoppers you’ll never meet face to face. This makes e-commerce prone to abuse. In fact, direct losses from online payment fraud are expected to reach $48 billion by 2023, with many experts believing the trend will only get worse.

To address this growing problem, the EU is introducing a new security feature under its revised Payment Services Directive (PSD2). Known as Strong Customer Authentication (SCA), the goal of this fraud management measure is to make online shopping more secure for consumers and merchants alike.

Strong Customer Authentication launched in April 2019 — with enrollment being 100% voluntary for e-commerce vendors worldwide. Yet on Sept. 14, 2019, it will become mandatory for a range of online transactions in which both the merchant’s and customer’s banks reside in the European Economic Area (EEA).

This article explores what Strong Customer Authentication is and how this security feature might impact your business.

How Does Strong Customer Authentication Work?

Most online purchases require that users provide their credit card numbers — including: 

  • Expiration dates
  • CVV codes
  • Billing addresses

However, it’s relatively easy for criminals to get their hands on all of these data points — especially since most of this information is already printed directly on each user’s credit card.

Strong Customer Authentication addresses this security gap by requiring that users provide multiple forms of “identity” in order to initiate new purchases. Also known as multi-factor authentication, the SCA guidelines stipulate that online shoppers should provide two or more of the following.

Something they:

  • Know — e.g., a password or PIN
  • Have — e.g., a mobile device or hardware token
  • Are — e.g., facial recognition or a fingerprint

The thinking goes that while hackers may be able to guess a user’s password or PIN, it’s very unlikely that they’ll have direct access to multiple forms of authentication at the same time.

To Whom Does Strong Customer Authentication Apply?

SCA will officially apply to customer-initiated online payments in which both the merchant and cardholder’s bank reside in the EEA. This includes most types of card-based purchases and nearly all bank transfers within the designated zone.

However, there exists a range of exemptions for Strong Customer Authentication, including:

  • Fixed-amount subscriptions. The first purchase may be subject to SCA, but not subsequent payments.
  • Recurring billing — even if the amount changes each time. These are considered “merchant-initiated” purchases.
  • Low-value transactions under 30 euros.
  • Mail order and telephone order (MOTO) transactions. Because these are not considered “electronic” purchases, they fall outside SCA guidelines.

In addition, it’s possible for customers to “whitelist” certain merchants and place them in a directory of trusted beneficiaries.

How Will Strong Customer Authentication Impact Your Business?

The entire goal of Strong Customer Authentication is to reduce fraud and make online shopping more secure. Even if you don’t operate within the European Economic Area, there are compelling reasons to implement SCA within your business.

Many EU cards already leverage 3-D Secure — a type of multi-factor authentication in which customers must provide a secondary password or PIN when trying to complete an online purchase. 

The problem is that this additional step adds friction to the sales process, leading to higher checkout cart abandonment and lower conversions.

3-D Secure 2.0 seeks to mitigate this by analyzing 100-plus data points during each online purchase to verify the cardholder’s authenticity. Banks and payment processors might look at the customer’s device, location, payment history and shopping preferences when developing a real-time profile of the user during the checkout process:

  • If the sale looks legitimate, the transaction goes through with no additional input required from the customer.
  • If the sale looks suspicious, the user may be asked to provide additional verification in the form of passwords, PINs, or a one-time code sent to his or her mobile device.

3-D Secure 2.0 is essentially a more hands-off multi-factor authentication approach that maximizes the security benefits of Strong Customer Authentication while simultaneously providing end users with a more seamless shopping experience.

Strong Customer Authentication becomes mandatory for all EU merchants in September 2019. If you operate primarily in the U.S., these regulatory changes probably won’t impact you directly.

Multi-factor authentication is already a well-established best practice in payment security. There is plenty of incentive for you to update your payment environment accordingly.

Here’s why.

Regardless of geography, those merchants that don’t implement some version of SCA, 3-D Secure or multi-factor authentication likely face the risk of payment fraud as criminals increasingly go after the lowest-hanging fruit.


Author bio: Kristen Gramigna is a Senior VP on the Digital Marketing Team for First Data Merchant Services, a global leader in payment technology and commerce solutions. She brings 25 years of experience in the bankcard industry in direct sales, sales management, and marketing.