Strong Customer Authentication

What internet businesses need to know about the new European PSD2 law

Introduction

Improving payment security and reducing fraud are key objectives of the European Union when it comes to online payments. As a result, stricter requirements for authenticating online payments are being introduced in Europe. Known as Strong Customer Authentication, these requirements are part of a broader European payments law, the second Payment Services Directive (PSD2).

Strong Customer Authentication will apply to online payments within the EU—specifically, where both the customer’s card issuer and the business’s payment provider are both located in the EU.

We expect Strong Customer Authentication will have ramifications for most companies doing business online in Europe and may require significant changes to payment flows.

Strong Customer Authentication is running on a different timeline to other parts of PSD2 (many of which went into effect on January 13th, 2018) and enforcement is expected to start September 2019. This guide helps you understand the upcoming changes. (If you’re a marketplace or a platform, we’ve written a guide on how other parts of PSD2 may specifically impact you. We’ve also written a note on the surcharge ban.)

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a new mandatory method of authenticating online payments (or verifying a customer’s identity before accepting an online payment) that will be introduced in Europe in 2019. In short, it requires payments to be authenticated using at least two of the following independent elements:

  1. Something that only the customer knows

    For example, a password, code, or PIN that is known only to the customer.

  2. Something that only the customer has or possesses

    For example, a card, hardware token, mobile phone, or other device that is in the customer’s possession.

  3. Something that the customer is

    For example, a biometric such as a fingerprint, facial recognition, or iris scan.

As part of SCA, the customer’s bank will generate a single-use authentication code corresponding to the amount of the payment and the business it is intended for. The customer must be informed up front of the amount and the business being paid. Transactions will also have to be monitored to detect unauthorised or fraudulent payments.

While some businesses have already chosen to build payment authentication into their existing checkout flows to reduce the likelihood of fraud using methods such as 3D Secure or Apple Pay, SCA will be required for online payments in Europe in 2019 unless an exemption applies (see below).

The SCA requirements are set out in the Regulatory Technical Standards (RTS) developed by the European Banking Authority and adopted by the European Commission. Once approved by the European Parliament and Council (likely February 2018), these rules will be enforced 18 months later (likely September 2019).

Note: Full operational details on how SCA will be implemented and enforced by the payments industry are still being fleshed out, so this guide covers the current state and information available as of January 2018.

Why authenticate?

The EU cares about authentication because online fraud is growing faster every year. Online payment fraud varies vastly by geography, but the average rate of fraud is increasing each year. In recent years, it’s grown so much that nearly 1 in 60 online transactions attempted globally are fraudulent. For businesses, it’s estimated that, when not addressed properly, fraud can cost up to 3% of their revenue. (If you’re interested, you can read more in the fraud study we published recently.)

There are many ways for online businesses to combat fraud and minimise fraudulent transactions—from using machine learning to predict and prevent fraud to manually reviewing payments—but one specific method is authentication. Authentication involves verifying a customer’s identity before accepting an online payment and it can be single-factor (such as a password), two-factor (such as a one-time authentication code along with a password), or multi-factor.

Authentication can also be helpful to businesses in other ways, for example, some authentication methods, such as 3D Secure, grant protection to the business against fraudulent disputes or chargebacks. Payments that are successfully authenticated are then protected because liability for disputes shifts from the business to the issuer of the payment method.

Sometimes authentication is mandatory. A small but growing number of European cards already require 3D Secure for online payments due to specific card network rules or bank policies. (Stripe’s 3D Secure integration helps businesses programmatically detect these cards so that they can enable authentication for payments made with them.) Authentication is also required by law in some countries; for example, India requires two-factor authentication for cards issued by Indian banks.

Impact on conversion

It would be disingenuous not to recognize that while payment authentication reduces the likelihood of fraud, it can also introduce friction to customers’ online checkout experiences by requiring additional steps in the payment process, or redirecting them to third-party sites.

In deciding whether to include authentication in a checkout flow, businesses typically weigh the risk of payments being fraudulent against the risk of customers abandoning their purchases due to extra friction imposed by authentication. (Stripe Radar’s machine learning-based risk evaluation helps with this assessment.)

With the upcoming SCA requirements in Europe, many businesses will need to build user-friendly flows that authenticate their customers. Stripe is actively working with regulators, card networks, and issuing banks to help create tools to make SCA-compliant checkout flows as user-friendly as possible.

Preparing for Strong Customer Authentication

No immediate action is needed from online businesses on SCA since it is not required until 2019. While some of the practical details on how SCA is to be applied should become clearer over coming months, we expect the vast majority of businesses operating in Europe will need to integrate solutions that meet SCA requirements into their online payments flows for at least some of their transactions before the end of 2019.

As we get closer to SCA coming into force, Stripe will help online businesses stay compliant, programmatically determine which payments will require SCA and which can be exempted, and work to minimise impact on both customer experience and conversion rates as much as possible.

In the meantime, we recommend implementing the authentication methods currently offered by Stripe to verify the identity of your customers for high-risk transactions. At present, Stripe’s Sources API supports a range of authentication methods which apply to different devices, payment methods, and geographies and can be integrated seamlessly into a checkout flow on desktop and mobile:

  • 3D Secure ("SecureCode" for Mastercard and "Verified by Visa" for Visa) is a popular method of authenticating online card payments, with strong adoption in Europe and Asia.
  • Apple Pay and Google Pay allow iOS or Android users to pay and authenticate in a simple mobile or desktop payment flow.
  • Local payment methods—such as SOFORT which is available in several European countries, Bancontact in Belgium, or iDEAL in the Netherlands—rely on multi-factor authentication by asking customers to login using their credentials and a one-time password is sent by text or generated real-time by software integrated into a device.

Will all payments require Strong Customer Authentication?

SCA will not always be required. To start, it will only be required for:

  • Online payments initiated by customers (payers) rather than businesses (payees). Most card payments are considered by the SCA requirements to be initiated by customers. (We are assessing whether recurring card payments, for example, those used in subscriptions, are considered to be initiated by customers or by businesses.) Credit transfers are considered to be initiated by customers and direct debits are considered to be initiated by businesses. (You can learn more in our guide to payment methods.)

  • Payments within Europe, i.e., where the customer’s card issuer and the business’s payments provider are both located in the EU. (In the case of Stripe, we provide regulated services in the EU through our UK entity.)

Exemptions to SCA

There are also a number of specific exemptions to SCA, but the ones most relevant to internet businesses are:

  1. Whitelisted Trusted Beneficiaries

    Customers will have the option to whitelist businesses they trust. These businesses would be included on a whitelist of “Trusted Beneficiaries” created by the customer and maintained by the customer’s bank. SCA is required for the customer’s first payment to the business but not for subsequent payments. SCA is also required when the customer creates, confirms, or amends the whitelist.

    There are no limitations in terms of the transaction amount, number of transactions, or period since SCA was last performed, and whitelisting applies to both card payments and credit transfers (as the rules refer to “payment transactions”, which encompasses both).

    Stripe is exploring how we can help businesses enable customers to whitelist them during a payment to make future purchases more convenient.

  2. Subscriptions

    This exemption will apply where the customer makes a series of recurring payments for the same amount to the same business. SCA is applied to the customer’s first payment to the business but not to subsequent payments.

    While subscription payments are often periodic and directed to the same business, the amount of each payment tends to vary from one period to the next and so many subscriptions businesses would not be covered by this exemption.

    Such businesses may need to look to alternatives, such as initiating payments themselves using payment methods like direct debit or, alternatively, using the “Whitelisted Trusted Beneficiaries” exemption by asking their customers to whitelist them so they can bill them for different amounts—without requiring SCA for every payment.

  3. Transactions below €30

    A payment will be exempted if it is considered a “low value transaction” on the basis that it does not exceed €30. However, SCA will be required if, since the last application of SCA to the customer, either the customer’s total payments exceed €100 or the customer has initiated more than five transactions (only the issuer of the customer’s card or payment method is capable of assessing whether these two conditions are met).

  4. Low-risk transactions

    A payment provider, like Stripe, will be allowed to make a real-time risk analysis in determining whether to apply SCA to a transaction if the payment provider’s fraud rates do not exceed the following thresholds:

    Card payments Credit transfers
    0.13% for transactions up to €100 0.015% for transactions up to €100
    0.06% for transactions up to €250 0.01% for transactions up to €250
    0.01% for transactions up to €500 0.005% for transactions up to €500

    In analysing risk, Stripe would have to assess factors including abnormal spending or behaviour, previous spending patterns, and location of customer and business. (Stripe Radar already uses machine learning to perform similar assessments automatically to prevent fraud today.)

    We are exploring the possibility of assessing fraud rates on an individual business basis rather than across our entire portfolio, especially where major businesses have particularly strong fraud tools and very low fraud rates. This reflects the position European Commissioner Dombrovskis set out to the online commerce industry.

  5. Secure corporate payments

    In general, corporate or commercial cards fall within the scope of SCA. However, for corporate card payments made through so-called “dedicated payment processes or protocols”, there is an exemption where security is achieved by means other than authentication. This exemption covers corporate payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).

How will Strong Customer Authentication be enforced?

The new rules on SCA are likely to be effective and enforced from September 2019. Based on previous experience, this type of change may be implemented progressively by the payments industry and Stripe will be prepared if SCA is enforced earlier than September 2019 and will keep our users updated.

Enforcement could take several forms:

  • Payments may be declined

    First, as a practical matter, the banks that issue the credit, debit, or prepaid cards may decline payments that they believe require SCA. These payments would then have to be re-submitted to the customer with a request for SCA.

  • Fines may be levied

    Secondly, from a regulatory perspective, national regulators in Europe will be responsible for enforcing SCA against payment providers, like Stripe, and card issuers, and they have the power to issue fines. Depending on the location of the relevant parties, different national regulators across Europe can have a say in enforcing the rules and so we are advocating, on behalf of our users, for a consistent application of the rules in Europe.

What’s next?

Stripe has already taken a proactive approach around SCA in working directly with card issuers, regulators, and policymakers throughout Europe. We’ll continue our efforts to seek further clarity for our users on SCA over the coming months.

We’re also working closely with regulators to ensure that our existing and upcoming products protect against fraud and help our users stay compliant with PSD2 and the SCA requirements, while maintaining frictionless online payment experiences for their customers.

If you have any questions or feedback, please let us know!

Back to guides