If you’ve made efforts to keep your payments flow frictionless, you might discover a pile of sandpaper is about to land in the middle of it. Strong Customer Authentication (SCA) requirements of PSD2 directive are about to take effect in the fall of 2019. If you’re a company who deals with payments in Europe, this probably affects you, too.
PSD2 (no, it’s not the same as PTSD), i.e. the revised Payment Services Directive is the payment regulation in the European Union. All member states had to adopt it on a national level by the beginning of 2018.
Phew, that went by unnoticed, you might think. Well think again, because the cherry is still left to be added to the top. The Strong Customer Authentication regulation will come to force after an 18-month grace period in the fall of 2019.
What does SCA mean?
SCA is an authentication procedure to verify the identity of a payment service user. It has to be based on at least two elements categorized as:
Knowledge: something only the user knows, e.g. password or their dog’s birthday;
Possession: something only the user possesses, e.g. their phone;
Inherence: something the user is, e.g. their fingerprint.
The payments sector has seen a constant rise of technological innovation and online shopping. SCA is supposed to make payments safer for the European consumer. The process requires more different information that only the consumer could know or have. It’s basically a two-factor authentication (but in this case two is just the minimal requirement by the directive).
Who are affected by SCA?
SCA applies to all online transactions (with some exceptions listed below). The regulation affects the whole payments industry within the European Economic Area (EEA). If there is an online payment where the customer and the payment provider are both in EEA, you need SCA. Some businesses from outside of Europe might be affected as well.
On a positive note, the regulation may spark innovation that improves the online shopping experience. Online merchants will start looking for payment providers who can deliver SCA-compliant payments with the least friction possible.
Benefits of carrier billing in the post-PSD2 world
The need for SCA is not universal and there are some exemptions to allow “frictionless flows” based on the size of the transaction. Smaller card payments up to €30 will go unchallenged, but every 5th payment will still need SCA (just in time to forget your password for example). It’s also needed if the total amount of payments during 24 hours is higher than €100. For transactions above that it depends on the fraud rates of the acquiring bank and the issuer – not the merchant.
With direct carrier billing, all transactions below €50 (and total monthly limit of €300) don’t require SCA. Carriers may process payments of digital goods, voice based services, e-tickets and certain charitable services. They’re not allowed to process physical goods without a license.
Currently carrier billing is most used for small scale payments, microtransactions and subscription payments anyway. Even in the highest ARPU countries, the highest prices that merhcants charge consumers rarely reach even half of the €50 limit. Not to mention average payments are just a fraction of this.
It’s good news for anyone already using carrier billing for their digital goods. Carrier billing is known for its simplicity, security and accessibility and not much will change with the implementation of SCA. Other payment methods might see a setback in their revenues after SCA due to higher friction.
If you’re concerned about the impact of SCA on your conversion and want to minimize the impact, consider adding carrier billing as an alternative payment method. To do that, [get in touch](mailto: firstname.lastname@example.org) and we’ll get you started.