Online merchants need to gear up for carrying out stricter customer ID checks

The EU’s Strong Customer Authentication rules are being introduced to tackle fraud and increase security.

By Jonathan Keane Reporter, Fora

ONLINE MERCHANTS WILL face a major change in how they process transactions later this year when new customer authentication rules come into effect.

Strong Customer Authentication (SCA) has been designed to reduce fraud and will require a customer to be authenticated with two methods of verification.

It is the latest tranche of changes introduced by the EU’s second Payment Services Directive (PSD2) – a sweeping set of rules that are gradually altering financial services for the digital age.

SCA introduces new requirements on merchants, banks and payment processors to implement stronger verification checks before a transaction – within the European Economic Area (EEA) – can be completed.

Customers can use two of three types of verification. These are defined as something you know (such as a password), something you own (smartphone, payment card) and something you are (biometrics like a fingerprint).

It comes into force on 14 September this year and affects many kinds of online payments, mostly those that are initiated by the customer.

Stripe, the fintech giant founded by Irish brothers Patrick and John Collison, has taken a multi-pronged approach to help merchants understand the requirements and to help banks implement authentication technology.

“As it stands non-compliant transactions will simply be declined after 14 September. Merchants shouldn’t hope for a grace period,” Iain McDougall, the growth lead for Stripe in Britain and Ireland, said.

Stripe recently acquired Dublin startup Touchtech Payments as part of its strategy for complying with SCA.

Touchtech develops tools that can help banks to verify users through their device and with biometric data.

The biggest change could hit software-as-a-service (SaaS) companies that charge monthly subscriptions or businesses taking recurring payments.

Stripe, which has an engineering hub in Dublin, has also launched its Billing product in Europe, a suite of tools for managing subscription payments and VAT.

According to the company, Billing helps subscription-based businesses automatically track what transactions fall under the remit of SCA and alerts customers if further ID checks are needed.


On the bank front, KBC has had two-factor in place in its products for some time but Kelvin Gillen, the bank’s director of transformation and innovation in Ireland, admits that the new rules may introduce some friction in the transaction process.

181130_NCP1_038 Kelvin Gillen
Source: Naoise Culhane

“I think the ironic thing is that because we have two-factor authentication, particularly within the online world, the user experience has been less than what we would like it to be when you compare it to the other banks because they operate in a single factor world,” Gillen said.

He said he expects that more and more companies will find themselves in this situation of balancing convenience with security.

There are some exemptions to SCA though – individual card transactions below €30 don’t fall into the net so quick purchases should flow normally but customers will start to notice changes eventually as merchants wise up.

A survey by Mastercard, published in December 2018, claimed that 75% of online merchants in Europe were largely unaware of the rules.

Sarah Cunningham, Mastercard’s tech hub lead in Dublin, said that ”with PSD2 and the need for stronger customer identification, our identity check product is going to be seen a lot more”.

“The key is to make it frictionless. We very much focus on offering customers and merchants choice and making it frictionless,” she said.


Part of reducing this friction will mean providing more variety to consumers for the authentication method that they prefer.

Source: Shutterstock/leungchopan

“Always pick the biometric that works for your environment. If you’re in a very noisy environment, voice recognition isn’t ideal,” Cunningham said.

Stripe’s McDougall said that authentication methods can’t use a one-size-fits-all approach.

“We have to keep in mind payments are very cultural – people in different countries and different companies have different habits,” he said.

“For merchants the goal is not just to be compliant with the new regulations, but to offer the largest variety of payment methods to suit potential customers,” McDougall said

KBC’s Gillen added that facial recognition in banking hasn’t taken off in Ireland yet but KBC is testing it in other markets first before deploying it across the entire customer base.

“We don’t have sufficient scale in Ireland to build everything here ourselves,” he said.

Gillen added that the impending rule changes are still the subject of a lot of chatter among industry folks as they figure out their best strategies.

“It’s also my experience in banking that there’s normally quite a bit of uncertainty around things until quite late in the day and then things can get evolved quite quickly,” he said

Get our NEW Daily Briefing with the morning’s most important headlines for innovative Irish businesses.