Brought to you by
gocardless blue

GoCardless helps businesses accept Direct Debit payments.

Save content
Have you found this content useful? Use the button above to save it to your profile.

What the new PSD2 law means for subscription businesses

28th Jan 2019
Brought to you by
gocardless blue

GoCardless helps businesses accept Direct Debit payments.

Save content
Have you found this content useful? Use the button above to save it to your profile.

In September 2019, Strong Customer Authentication (SCA), a new regulation for authenticating online payments, will be rolled out across Europe.

What is SCA?

SCA is a new regulation that will come into force on 14 September 2019 for authenticating online payments as part of the Second Payment Services Directive (PDS2).One of the key aims of SCA is to reduce the incidence of payer fraud and increase security, by introducing two-factor authentication on electronic payments.

What transactions will be affected by SCA?

SCA will affect any businesses offering online access to payment accounts in Europe, or taking electronic payments, where the payment is initiated by the payer. Single electronic payment transactions will need to be authenticated by asking for, at least two of these three things:

  • Something only the user knows, such as a password
  • Something only the user possesses, such as a token or mobile phone
  • Something the user is, such as a biometric element (e.g. fingerprint recognition)

According to Mastercard, just 1-2% of UK online transactions currently require cardholder authentication, a percentage that is set to rise to up to 25% from this autumn.

SCA will also apply to some contactless transactions, as a periodic check to ensure the card is being used by its rightful owner.

How will SCA affect subscription businesses?

For businesses taking recurring payments by card, SCA will apply at least to the initial setup of the Continuous Payment Authority for the recurring card transaction.

“Come September, subscription businesses taking card payments will find that new customers must go through additional SCA authentication steps in order to complete the first payment,” said Ahmed Badr, GoCardless general counsel.

“There is some debate as to whether SCA will apply every time the card is then charged – current guidance from the UK Financial Conduct Authority suggests it won’t, although it remains to be seen how other EU regulators approach this.”

In most cases it will be the payer’s bank that facilitates the authentication, with the payer’s payment service provider facilitating the additional steps in the payment journey. Though where this is not the case, payment service providers affected by the regulation (e.g. card providers) will be expected to provide the authentication mechanisms themselves.

The impact on business

Fraud is a serious problem that affected almost five million people in the UK last year, according to Compare the Market. Since e-commerce is still growing, it is very positive to see initiatives to increase security.

Additionally, the SCA is likely to impact costs and conversion for businesses: “Businesses are likely to see fewer customer chargebacks, and therefore potentially a reduction in operating costs. Though they could see cost increases elsewhere,” said Duncan Barrigan, GoCardless’ VP, Product.

“For example, if we see a liability shift, where the payer’s service provider is liable for fraud and chargeback costs, we could feasibly see increased fees as a result.”

Many businesses are concerned that the additional payment authentication steps brought by SCA could be a conversion killer. According to Barrigan, businesses taking payments online need to balance their offering between risk and conversion.

What SCA means for GoCardless

SCA does not currently apply to Direct Debit payments through GoCardless as they are initiated by the payee and payment mandates are set up without the payer directly interacting with their bank.

However, we continue to take security and fraud prevention seriously. GoCardless’ Risk and Product teams are committed to getting the balance between conversion and security right for our customers.

“At GoCardless, we’re working on a payment experience that will enable our customers to benefit from these advances whilst being able to adjust their risk appetite, to suit their business needs,” said Barrigan. “Finding a way to reduce risk intelligently with the smallest possible negative impact on conversion rates is the best pay off for everyone involved.”

For more information on SCA, see our FAQs.

Tags: