This week, the European Banking Authority (EBA) extended the deadline for Strong Customer Authentication (SCA) to Dec. 31, 2020. The news follows an earlier extension announced by the EBA in June 2019 that ensured companies would be given “limited” additional time.
Why the delay?
Only 75 percent of issuers said they were prepared to make the jump as of the original Sept. 14, 2019 deadline. Furthermore, according to the latest edition of PYMNTS’ PSD2 Tracker, only 40 percent of merchants operating in the European Union that are aware of SCA reported being ready by that date.
The new SCA Impact Playbook explores how subscription-based merchants can prepare for SCA and manage conversion, churn and card-based risk.
The Three Cs: Conversion, Churn and Card-Based Risk
Merchants should familiarize themselves with which recurring payment options are available and the payment pathways through payment service providers (PSPs), acquirers, financial institutions and settlement.
The recurring payments exemption means subscriptions can help not only avoid SCA frictions, but also offer a compelling revenue model in their own right.
Ensuring SCA compliance should be part of a larger effort to determine that a payments strategy is secure, cost-effective and satisfies user expectations for convenience and trust.
The technical requirements of complying with SCA will fall to PSPs. Merchants that do not provide their PSPs with necessary information regarding subscription accounts, or those whose PSPs are unprepared for the regulations, may still see payments ensnared in the SCA net.
What the Extension Means
Many are cautioning against letting their guard down, while others see it as an opportunity.
In a recent interview with PYMNTS, Duncan Barrigan, vice president of product at GoCardless, discussed why the extension is an opportunity for merchants, especially those in the subscription commerce space.
He emphasized that the delay is not a break. It’s a chance to review payments strategies. “Obviously, that strategy is different for each payments provider and merchant. You want to ensure that you are not going to be the one with the most friction,” he said.
In a separate interview with PYMNTS, Mari Anne Bayliss, director of EMEA solutions management and strategy at CyberSource, said a phased supervisory period presents an opportunity for stakeholders to make sure they are technologically and operationally prepared to roll out the best possible version of technology that supports SCA.
For merchants, that means getting an early read on regulatory requirements in the regions where they plan to operate and developing a plan with their acquirers and payment gateways on managing the emerging landscape.
The goal is for merchants to think about how they will manage the SCA transition, and to develop a fraud and exemption strategy. That might mean working with existing fraud tools or building additional tools.
Friction So Far
While SCA has the potential to reduce fraud in Europe’s eCommerce ecosystem, it could also lead to a decline in conversion, which has been a well-documented accompaniment to enhanced online security. Customers may abandon orders because of the hassle of not having payments process in a timely manner.
For subscription-based businesses, this risk is especially acute because failed payment could mean not just losing out on a one-time purchase, but on customer relationships that could have lasted years. SCA-associated conversion losses could range from 10 percent to 33 percent, by some estimates. For subscription and recurring payment services in Europe, a market valued at close to $400 billion, this represents a substantial impact.
Peter Robinson, payments advisor at EuroCommerce — a consortium of retailers from 31 European countries — gave an even grimmer estimate in a recent interview with PYMNTS. He says more than one-third of merchants’ online payments could fail due to lack of compliance.
Yet, according to analysis from Barclaycard, the impact — at least initially — wasn’t as detrimental as many feared. In fact, conversion rates were barely affected in the first two days.
Subscriptions’ Special Case
Recurring subscription payments are theoretically shielded from repeated authentication under SCA’s merchant-initiated transaction (MIT) exemption. It is still incumbent on merchants to provide evidence to their payment service providers (PSPs) that payments qualify as MITs, though.
Adobe’s head of payments and partner products, Andy Barker, believes that many enterprises have been complacent ahead of SCA. “Like everything associated with payments, the regulatory bodies give ample time and then everyone runs around with their heads cut off days before everything lays into actual law,” he said.
Creative app suite provider Adobe has been a key player in the shift toward a platform economy. In 2018, Adobe acquired eCommerce platform Magento, an “on-premise” application that enables a range of payment options and models, including recurring billing.
Adobe used the regulation’s onset to ensure its payment integrations were SCA-compliant through 3D Secure 2.0, but initial payments in a recurring billing model still require authentication under SCA.
Successful online enterprises and platforms must adopt a range of payment strategies and adapt them over time in response to market conditions and demand. This is largely why the EBA faced pushback ahead of the Sept. 14 deadline it had originally set for SCA compliance.
Barker advised companies to become compliant sooner and not later. “PSD2 is the law, and they’re not going to get rid of it,” he said.