Strong Customer Authentication (SCA) is the new buzz phrase of online businesses with new e-commerce rules due to come into play this September (2019).

Last year, businesses were concerned with GDPR rules and regulations, but “if you thought the impact of GDPR was bad, wait until you see what SCA does for e-commerce after September,” warns Denis Finnegan, Digital Director of Grofuse.

September 14th is D-Day for Strong Customer Authentication (SCA). This marks a change from the one-click consumer online shopping experience to a mandatory two-step authentication process.

The changes are part of the Revised Payment Services Directive (PSD2) published in 2018 and are designed to protect consumers and businesses against fraud. The new EU directive means that any online purchase over €30 will require added authentication.

What does PSD2 mean for business?

The two-factor authentication process adds another layer of protection against fraud for both consumers and businesses, but it also convolutes the shopping experience for the consumer – which could have an adverse impact on online sales.

Under SCA rules, companies will now have to verify a customer’s identity using two out of three possible means. The first is something only the customer knows, such as a password or PIN. The second is something the customer has, such as a smartphone or hardware token and the third is identification through fingerprint or facial recognition.

“The challenge is to make the process as smooth and painless for the customer as possible, so that there are less abandoned carts in the online shopping experience,” explains Denis.

“Any online business worried about dropping online sales and conversion rates once the new regulations are added, should ideally carry out an audit or review of the website. At Grofuse, we build compliance into our websites while considering all of the factors involved in growing sales. Abandoned carts could be down to frustration on payment verification by the consumer or a slow website. What we do is check the whole system to make it easier for the customer because it’s well proven that offering a simple online shopping process increases sales,” adds Denis.

Do the new regulations apply to you?

Any business completing online transactions or sales over €30 will have to make sure it has a Strong Customer Authentication (SCA). This applies if your business is based in the EU or even if your business is based outside the EU and the consumer is within the EU.

“Come September any online business, large or small, will have to comply with the SCA rules or risk being banned by third party hosting groups, or online payment companies such as Stripe or Paypal,” explains Denis.

How to make sure your business is online ready?

If you need to implement two-factor authentication (2FA) process, the first step should be to get on to your e-commerce provider or payment supplier.

“A number of solutions exist but it’s important that each retailer explores the options to ensure they employ the best fit for their offering and their specific user experience,” Denis explains.

Adding 2FA to your platform

To ensure compliance you must add a two-factor authentication to your e-commerce platform. This will add an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts. “This ensures, even if they know the victim’s password, that it still is not enough to pass the authentication check,” Denis explains.
There are a number of methods available to add two factor authentication to your platform.

1 SMS Text
This method involves sending the purchaser a 5-10 digit code by text message which must then be inputted on the platform to prove the user is who they say they are. Many of you will be familiar with this as some banking institutions already employ similar features for online transactions. It is easy to set up and very user friendly, as we all have our mobile phones close by.

2 Email
Similar to the SMS text facility, a code is emailed directly to you. This is easy to set up, however email is at risk of being hacked or customers may not have easy access to email which may prevent them from completing the purchase.

3 Fingerprint or Retina
This facility will allow you to use your smart phone to prove that you are who you say you are.


Denis adds: “Whichever method you go with, ask your developer first as they can determine which feature works best with your payment provider.

“As more companies will need to set up their two-factor authentication, it’s likely that payment providers will build these options into their settings which will save you on additional development costs.”

For advice on growing your business online, contact Denis at Grofuse on [email protected] or call +44 28 71 22 8820