Stripe-commissioned report projects that Europe’s online economy risks losing €57 billion when SCA goes into effect on 14 September.

By Christian F. McDermott

A recent report released by 451 Research and commissioned by Stripe, the online payment processing business, has found poor levels of readiness for the requirements of Strong Customer Authentication (SCA). The report projects that European businesses stand to lose €57 billion in economic activity in the first 12 months after SCA takes effect on 14 September 2019.

Background

The revised Payment Services Directive (EU) 2015/2366 (PSD2) introduced SCA as a means to help achieve the overall aim of “ensuring that all payment services offered electronically are carried out in a secure manner, [by] adopting technologies able to guarantee the safe authentication of the user and … reduc[ing], to the maximum extent possible, the risk of fraud.”[1]

Authentication is a broad term encompassing any procedure that allows a payment service provider (PSP) to verify the identity of a payment service user or the validity of the use of a specific payment instrument. In order to qualify as “strong” for the purposes of PSD2, an authentication must be:

  1. based on the use of two or more elements, categorised as:

a. knowledge (something only the user knows);

b. possession (something only the user possesses); and

c. inherence (something the user is),

that are independent, in that the breach of one does not compromise the reliability of the others; and

  1. designed in such a way as to protect the confidentiality of the authentication data.[2]

Although PSD2 has been effective since January 2018, certain elements (including SCA) were postponed to allow the development of appropriate regulatory technical standards by the European Banking Authority (EBA).

The SCA requirement will come into force on 14 September 2019 and will, subject to various transaction-specific exemptions, apply whenever a payer either:

  1. accesses his or her payment account online;
  2. initiates an electronic payment transaction; or
  3. carries out any action through a remote channel that may imply a risk of payment fraud or other abuses.[3]

SCA Readiness

The report’s headline-grabbing finding is that European businesses stand to lose €57 billion in economic activity in the first 12 months after SCA takes effect, because added friction for customers during the checkout process will likely reduce purchase volume. While the report does not clarify how much of that figure will be attributable to SCA, it indicates that the predicted decrease in economic activity will at least in part result from “a material spike in cart abandonments as consumers quickly eschew merchants with unoptimized authentication flows.”

Patrick Collison, Stripe CEO and co-founder, reinforced this point in a recent interview at Money20/20 Europe (during which he also quoted Picasso, Bill Gates and Nietzsche), predicting that SCA will come as a “punch in the stomach for any business that has not invested considerably in making sure they are ready with the new mandates.

This prediction is likely self-serving to some extent, given that Stripe is looking to promote its own “SCA-ready” payment application programming interfaces (APIs) and products. However, the report’s findings in relation to SCA readiness do suggest that significant disruption lies ahead. In particular, the report noted: “Just 15% of online businesses aware of SCA said they feel ‘extremely prepared’ to address the new requirements that it entails while two in five said they are prepared. Further, only one in two anticipate being SCA-compliant prior to September. Another 44% plan to cut it close, anticipating they will be ready only at the time SCA goes into effect.[4]

Implications

In the limited time remaining before 14 September, businesses should look to understand if and how SCA will apply to their sales channels and take appropriate preparatory steps to avoid being caught in the likely storm.

 

[1] EBA Consultation Paper on the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2, 12 August 2016.
[2] PSD2, Article 4(30).
[3] PSD2, Article 97(1).
[4] In compiling its report, 451 Research conducted simultaneous surveys of 500 online businesses and 1,000 consumers in the UK, Germany, France, Spain, and the Netherlands.