Are You Ready for Two-Factor Authentication?

On 14 September 2019, a new European regulatory requirement will come into force to reduce fraud and make online payments more secure. The new rules stipulate that all online payments must meet the requirements of Strong Customer Authentication.

Strong Customer Authentication (SCA) – also called two-factor authentication– means that at least two factors must be used to approve a payment. The two factors must be something the payer knows (e.g. PIN), something the payer is (e.g. fingerprint), or something the payer has (e.g. card/phone).

Starting 14th September 2019, banks will decline payments that require SCA and do not meet these criteria. 

It's not brand new

You already know it from physical commerce today when you pay with chip cards (something you have) and a PIN (something you know). However, the exception is contactless payment for low-value transactions (less than €50).

And you probably already know Strong Customer Authentication from some online stores where you receive a code via text message on your mobile, which must be entered before a payment can be made.

So what will be different?

After September 2019, authentication will become the new default and cannot be bypassed unless any of these exemptions apply:

  • Low-value exemption below €30
  • Recurring payment exemption (such as subscriptions and membership fees)
  • Whitelisting (or trusted beneficiary)

Therefore, the customer's payment journey may look a little different than it used to. However, Sage Pay expect that only 5% to 10% of authentications will result in the cardholder having to be re-directed to their bank’s 3D Secure page (sometimes known as Verified by Visa, Mastercard Securecode or Amex Safekey)to enter 2FA (challenge authentication). The majority of the authentication requests will result in a frictionless authentication, where the cardholder is not re-directed to their bank’s 3D Secure page to enter 2FA.

Will my sales be affected by the two-factor authentication?

The first time your customer encounters 3D Secure, they must register their mobile number and confirm with a password. That can take away the shopping mood from all of us!

So you will probably find that there is a slowdown in sales among your customer's first-time sessions.

Some of the online stores that already use two-factor authentication have experienced a drop in sales, and customers may have tried to find the same product on another online store with fewer barriers. The good thing here is that the requirement for two-factor authentication applies to ALL non-physical payments in the EU. So it's not going to be easier to shop with the competitor.

Make it easy for your customers

Fortunately, we have many other payment systems to resort to, such as Paypal, Apple Pay, Google Pay, Monzo, Starling, Venmo, Pingitetc.

More payments will probably move to some of these platforms if customers cannot be bothered to familiarise themselves with the new two-factor approval. And since a lot of consumers have the apps already installed and trust it, it would seem like an easier check-out.

What else can I do to help my customers?

I recommend these two concrete steps if you want to be as ready as possible for the new regulation on 14th September:

1. Be prepared: Make sure your online store offers one or more mobile payments. With Apple Pay, Google Pay, PayPal, etc., you should provide the most popular payment options you expect from your audience.

2. Inform them about what will happen: Take your customers by the hand and help them through check-out. Make sure they realise that a click on ‘go to payment’ requires two-factor authentication for their own safety, and that it takes less than two minutes the first time. You should also tell them that it is EU requirements that they will meet everywhere (read: ‘All the others do it too!’).

Two-factor authentication is likely to affect your sales in the beginning, but not in the long run. The changes apply not only to you but also to all your competitors. Multiple payments will likely move to known and trustworthy mobile payment apps.