On May 20, the UK’s Financial Conduct Authority (FCA) announced a six-month extension to the deadline for implementing Strong Customer Authentication (SCA) for online purchases.
UK merchants previously had until September 14 2021 to comply with the SCA regulation for all e-commerce transactions. This deadline has been extended to March 14 2022. This extension is designed to minimize disruption for merchants and consumers and takes into account the difficulties merchants have faced in preparing themself for the September deadline.
Strong authentication is intended to enhance payment security for consumers.
On several occasions, the FCA has agreed to give firms extra time to implement strong authentication for card-based e-commerce transactions due to the COVID-19 pandemic and to help participants be as prepared as possible.
Other European countries have also announced some adjustments to deadlines. For example, in France, where the regulation was supposed to come into force on May 15, the date was postponed by four weeks. The French Banking Federation (FBF) published this news on the eve of the deadline, saying that all French banking institutions had an extra four weeks to adapt and to ensure the new rules did not have an unduly adverse effect on merchants and users.
To date, most European countries have kept to the deadline and are already SCA-compliant.
The crucial issue for e-retailers: maintaining the conversion rate
The major issue for e-retailers in the migration to SCA is maintaining or optimizing the conversion rate – the total number of authorized transactions as a proportion of purchase attempts. The measure takes into account all authentication failures, abandonments during the purchase process and refusals by anti-fraud devices. All e-merchants aim to achieve the highest conversion rate possible to maximize their sales.
From now on, with SCA, an identity verification will determine whether accounts can be accessed and transactions completed. This involves a new step during the act of purchase that will see buyers have to meet at least two of the three following requirements:
– “Knowledge”: something that only the user knows (password, PIN code, answer to a secret question)
– “Possession”: something that only the user has (such as a mobile phone, smart card or token)
– “Inherence”: something unique to the user (fingerprint, voice or facial recognition).
Even though not all European countries have migrated to the new standard yet, all the studies currently being conducted (such as those by Ravelin and Forter) show that SCA has a negative impact on transaction conversion.
To try to reduce this negative impact on their revenue and offer their customers a frictionless experience, e-retailers can apply for an exemption from strong authentication for transactions that meet the exemption conditions defined by the second Payment Services Directive (PSD2). These include transactions of less than €30, recurring payments of the same amount, transactions to a trusted beneficiary, and transactions of up to EUR 500 that are deemed low risk by the banks and / or the merchant.