Strong Customer Authentication (SCA) – Impact on Online Merchants

by Oct 31, 2017Payments

Strong Customer Authentication (SCA) – Impact on Online Merchants


The details around the European Banking Authority (EBA’s) proposal for Strong Customer Authentication (SCA) are final and the requirements for SCA are expected to come into force by February 2019.

What is SCA and what will it mean for online merchants? Will it impact conversion? Do merchants need to do anything to prepare for SCA?

This article discusses the requirements around SCA from an online merchant’s point of view. The article summarises the key areas and actions around which online merchants should begin preparation.


What is Strong Customer Authentication (SCA)


SCA is part of an EU regulatory initiative to reduce fraud on electronic payment transactions. SCA achieves this by ensuring an appropriate level of authentication of the payer at the time of making the transaction.


How does SCA require the payer to be authenticated?


SCA requires that at least 2 out of the following 3 elements is used in authenticating the payer:

 – Something the payer knows: e.g. password

– Something the payer has: e.g. randomly generated PIN on a security device or a PIN via SMS to the payer’s mobile phone

– Something the payer is: e.g. biometric identification like fingerprints or iris scans


Will SCA cover all types of payment methods used by online merchants?


Yes, the objective of SCA is to reduce fraud on all types of payments, including credit cards, debit cards, online banking payment methods, e-wallets etc.


Who is responsible for authenticating the payer?


The responsibility rests with the acquirer / payment service provider of the merchant being paid (payee) and the issuer / payment service provider of the payment instrument. It is expected that the merchant’s PSP will initiate SCA however if they do not then the consumer’s PSP can still insist upon it.


Does an online merchant have to do anything to prepare for SCA?


The requirements for SCA should be handled by PSPs and Banks. As PSPs and Banks begin to incorporate the requirements in their offerings they should contact merchants to inform them of the coming changes. Depending on how PSPs choose to implement SCA, merchants may need to make changes to their contracts and technical integrations with their PSP.


I use 3D secure, does that not already satisfy the requirements around SCA?


Some implementations of 3D secure that involve a password and some form of token satisfy the requirements around SCA. However there are many implementations of 3D secure that require only passwords, these are not compliant with the new SCA requirements.

Also, 3D secure can not be applied to mobile in-app payments.

The card schemes (Visa, MasterCard) are working towards a new version of 3D secure that will be SCA compliant.

Even then 3D secure only covers credit cards, the requirements for SCA are for an appropriate level of authentication on all payment transactions.


Will forcing authentication not impact conversion at the payment page?


Yes, forcing authentication on the payment page is expected to have an impact on conversion. However this impact on conversion is expected to be balanced out by a reduction in fraud.

The EBA also offers a number of important exceptions under which authentication will not be required. These exceptions are further expected to help with conversion.


What are some of the main exceptions for SCA when applied to online merchants?


The main exceptions where SCA will not be required for online merchants are:

Small value transactions – transactions under EUR 30 will not require SCA. However after either 5 below EUR 30 transactions or a cumulative total of EUR 100 from the same payer to payee the next transaction will need SCA.

Where the payer is not initiating the transaction – for example recurring payments where the payee is initiating the transaction will be exempt from SCA, also direct debits by definition will be exempt.

Where the payee is trusted by the payer – this effectively means that card on file and one click payments will continue to be allowed without the need for SCA at each payment.

Where either the acquirer is not in the EEA or the payment instrument is not issued in the EEA – this means that some merchants concerned more about conversion impact than fraud might choose to work with non EEA acquirers.

Transaction Risk Analysis – the SCA rules allows acquirers and issuers to perform their own risk assessment on a transaction and choose to not apply SCA if they feel confident that the transaction is not fraudulent.

However the acquirer / issuer must stay below a regulator defined fraud limit to be able to enjoy this flexibility. If their fraud levels rise then they will be forced to perform SCA.

This means that merchants are likely to migrate to low risk and larger acquirers whose lower fraud levels will mean the acquirer will have more flexibility to not apply SCA.


What is expected to be the overall impact for online merchants?


Firstly let’s take a look at the positive impact, it’s believed that approximately $16bn was lost just to card fraud globally in 2016. The SCA aims to reduce this loss. Reduction in fraud will give consumers more confidence to transact online and should mean that e-commerce growth can continue without friction from fraud.

Merchants already using 3D secure and transacting predominantly in cards should not see any major impact. The 3D secure protocols will be modified to incorporate the SCA requirements.

Fraud which used to be monitored and regulated primarily by the payment schemes will now be monitored by the financial regulators that license PSPs and acquirers. This will give space for the emergence of new and innovative methods of payment to challenge cards with the re-assurance that these methods will not be encumbered by high levels of fraud.

Merchants transacting primarily in smaller value transactions, below EUR 30 will see little impact.

Merchants using card on file will only see an impact on the initial conversion transaction. This should see card on file and tokenisation become an almost essential and universal offering from PSPs.

Merchants working with acquirers that have higher risk merchants on their books may find value in switching to acquirers with a better blend of higher and lower risk transactions. These acquirers with lower fraud levels will have more flexibility through their lower fraud levels to not mandate SCA and so keep the conversion process friction free.

Non European domiciled merchants with substantial EU consumer traffic who set up entities in Europe purely to be able to work with a European acquirer may want to weigh any advantage offered to them by this European acquirer against the demands that will be placed by SCA.

Merchants originating in the EEA with entities outside of the EEA may want to consider internal re-organisations to be able to transact via their non EEA entity and a non EEA acquirer. The work and change required to do this should be balanced against the benefit that might be gained by being able to circumvent the SCA requirements.


What will be the impact for PSPs and Acquirers and what should they do to prepare for SCA?


First of all a clear and active communication policy towards merchants is essential. Inform existing and prospective merchants of the impending changes and what is being done to prepare for them. Reassure them that their business is important and describe how everything will be done to ensure that any impact on the merchant’s conversion is minimised.

Create a strategy and plan for being compliant with SCA. This will require cooperation and teamwork across all departments within an Acquirer / PSP. We recommend setting up a separate task force or Program reporting to the Board to ensure that everything is planned out correctly and more importantly gets done in parallel to the business running as usual.

Beef up transaction risk analysis capabilities. PSPs and Acquirers who have relied on 3D secure to keep fraud levels low and do not have either in house or outsourced risk and fraud management capabilities will need to invest quickly in setting these up. The quality of these risk management capabilities will determine the extent to which the PSP and Acquirer will need to force the application of SCA. Merchants are likely to move to those PSPs that can keep application of SCA to a minimum.

PSPs and Acquirers servicing high risk and high fraud merchants will need to weigh the higher margins earned from these merchants for the risk they carry with the impact that the resulting high levels of fraud will have on their need to apply SCA.

Global PSPs with European acquiring may want to consider setting up non EEA acquiring licenses and migrate their high risk and fraud business to these non EEA licenses.




SCA is a bold, forward thinking and far reaching initiative that will bring the responsibility for regulating e-commerce fraud to the regulators of payment and financial institutions.

It should see a reduction in fraud on EEA issued and acquired transactions which should allow electronic transactions in Europe to continue to grow without friction from fraud.

The initiative should also promote the creation of new and innovative schemes and methods of payment which can rely on an existing framework of regulation that ensures fraud is kept to a minimum.


Submit a Comment

Your email address will not be published. Required fields are marked *


Gropay provides management consulting and interim management services globally in the areas of online payments, mobile payments and point of sale POS payments. Our clients span the entire payments value chain from schemes to merchants and also include private equity investors, technology and mobile companies. The Gropay team consists of proven industry leaders with extensive experience both on the demand (merchant) and supply (Payment Service Provider, acquirer, scheme) sides with a focus on sales and business development, operations, risk, compliance, valuation and due diligence.

Visit our homepage


GDPR for Payments

GDPR for Payments GDPR is an important EU wide regulatory mandate. It provides increased protection of individual privacy and gives individuals more control over the information they share. In our view GDPR is an important element of building a scalable data centric...

read more
US Supreme Court repeal of PASPA

US Supreme Court repeal of PASPA

US Supreme Court repeal of PASPA On Monday, May 14, 2018, the Supreme Court of the United States held in the Murphy v. National Collegiate Athletic Association case that the federal Professional and Amateur Sports Protection Act (“PASPA”) violated the Tenth Amendment...

read more
Gropay’s 5 Tips For The Holiday Season!

Gropay’s 5 Tips For The Holiday Season!

GROPAY'S 5 TIPS FOR THE HOLIDAY SEASON With all the preparations for the holiday, last week deadlines, the multitude of drinks, parties, last minute shopping as well as high expectations from family and friends, it is easy to get lost in this busy time before the...

read more
Is the future of payments happening in India now?

Is the future of payments happening in India now?

India Makes Important Advances in Biometric Payments In India it’s already possible for a consumer to authorise and authenticate a payment with their fingerprint or iris scan. As a largely cash based economy India has leapfrogged the use of Cards and Smart Phones for...

read more
How Do Bitcoins Impact Online Merchants?

How Do Bitcoins Impact Online Merchants?

How do bitcoins impact online merchants? There’s a lot that has been said and written about bitcoins. They are the talk of the town these days. Undoubtedly bitcoins and related distributed ledger technologies will have a lasting impact on payments and financial...

read more
PSD2 What Will Really Change?

PSD2 What Will Really Change?

PSD2 What Will Really Change? There has been a lot written about the PSD2 and rightly so, it is important regulation soon to be enacted into legislation that will bring significant innovation and change to electronic payments. But what will actually change in the day...

read more
SafeCharge Three Years After IPO

SafeCharge Three Years After IPO

SafeCharge 3 Years After IPO In this post we look at SafeCharge, a medium sized payment processor and recently formed acquirer. We look at the following items; history, the IPO, recent performance, drivers of growth so far, recent strategic moves and execution...

read more
PSD2 What Will Really Change?

The Stamina Of Clinton Or Trump?

The Stamina of Clinton Or Trump There have been lot of comments made by presidential candidate Donald Trump triggering a lot of media attention and public debates recently. Not the most notorious comment, but still one that made me pause in the work I was doing....

read more
PSD2 What Will Really Change?

GDPR – Data Protection Gets Serious

GDPR - Data Protection Gets Serious On 14 April 2016, the EU Parliament adopted the long awaited General Data Protection Regulation (GDPR) The GDPR will have considerable impact on all companies that provide goods or services to Europe, regardless of the company’s...

read more
PSD2 What Will Really Change?

Authentication – Payer! Reveal Thyself

Authentication - Payer! Reveal Thyself EPC releases results of latest consultations for e-mandate today: what does this mean for authentication and your online business? Earlier today, 5 April 2016, the European Payments Council (EPC) announced the launch of the...

read more
PSD2 What Will Really Change?

Fantasy Sports – It’s All A Fantasy

Fantasy Sports - It's All A Fantasy Fantasy Sports continue to gain popularity California recently introduced a bill to allow online sports betting. The motivation of this bill is believed to be the increasing popularity of fantasy sports. Although, the bill has yet...

read more
PSD2 What Will Really Change?

Cash – Kicking The Habit

Cash - Kicking The Habit There was an interesting article in The Economist recently about strikes on the London Underground (Tube). Such strikes are commonly believed to have a short term net cost to the economy. However the article quoted a study by Oxford and...

read more
PSD2 What Will Really Change?

Data Protection – To Russia With Love

Data Protection - To Russia With Love Data Protection Russia Russia’s new data protection law came into effect on the 1st of September 2015. It’s now required by law to store personal details of Russian citizens on servers physically located in Russia. Copies of the...

read more

Dressing For Work – Looking The Part

I had a manager once who was a real mover and shaker in HR, brilliant in strategy and amazing to work with. Although visionary in his business outlook, there were some basic things that could really set him off when meeting new people: things like scruffy shoes. You...

read more

Tattoos – Ink At Work

Are Tattoos ever OK at work? I was HR Director at a large organization when I suddenly completely got caught by a curb ball thrown by one of my main stakeholders. “What is our HR policy on tattoos?”  I had to take a two second pause before responding with a gigantic...

read more

Wirecard’s $9 Billion Bid For Worldpay

Wirecard with a market value of $ 5.2 billion made a $9 billion bid for Worldpay. Is this a serious bid? What will Wirecard do with Worldpay? Wirecard has extensive experience with M&A and also in acquiring companies larger than itself and making it a success; as...

read more

Changing Jobs – Stay Or Go?

Changing jobs - How long should you stay in your current job? In this day and age, most employees are not even aware that organisations used to have tenure incentives like a fancy watch, a toaster or at least a bunch of flowers when you reached your 20 or 25 years of...

read more

Distracted Living – A Simple Life

Distracted Living Psychology Today published an interesting blog on distracted living. Distracted living is where you miss out on much of your life because you generally aren’t paying attention, or your attention is so torn in many directions that your really do not...

read more

Is Visa Worried About Paypal?

Is Visa worried about Paypal? Visa recently published a report on Visa Checkout in which they stated that Visa Checkout delivers 17% better conversion than Paypal. One of the interesting points about this report is that Visa considers Paypal as enough of a threat to...

read more

Mergers And Acquisitions

How do I deal with my company going through a merger or acquisition? Working in the payments sector? There is a big chance that your company is engaged in a merger, is taking over another company or is about to become an acquisition. 2014 was a big year for payments...

read more


Pin It on Pinterest