After the GDPR comes the SCA - and this is what online retailers need to know now

After the GDPR comes the SCA - and this is what online retailers need to know now
Published on: May 26, 2019
Updated: Aug 19, 2022

As if the introduction of the GDPR, the new Packaging Act and the Geoblocking Regulation weren't enough, online retailers will soon face a new challenge.

The SCA (Strong Customer Authentication) requirements will apply to all online payments in Europe from September 14. And merchants should start preparing for this now.

SCA (Strong Customer Authentication)

So what does this actually mean exactly?

[tooltip title="SCA" color="blue"]Strong Customer Authentication is designed to make online payments more secure. The new policy requires an additional level of authentication for online payments starting in the fall. [/tooltip]

What does that mean? If a customer wants to book a flight, the credit card number will no longer be sufficient when the regulation comes into force. Another of the three existing categories now comes into play. The online merchant must request this from the customer. Which categories are explicitly meant by this?

Category 1: Knowledge

This includes, for example, a password created by the customer or transmitted to the customer. Furthermore, this factor can also represent a pin that the customer must provide in addition to the payment authentication.

Category 2: Have

This includes, for example, a token, which is a hardware component that can be used to identify the customer. A smartphone can also belong to this category.

Category 3: Being

This category includes, for example, biometric characteristics of the customer, such as a fingerprint or specific facial features.

Why the SCA is being introduced

The reason for introducing the new regulation is to protect consumers from online fraud. The more powerful and bigger online commerce becomes, the more fraudsters try their luck online. The number of cybercrime cases recorded by the police amounted to about 86,000 in 2017. That's an increase of about 52,000 in 10 years.

Image Recorded cybercrime cases increased from about 34,000 (2007) to about 86,000 (2017). (Source: Statista/Federal Criminal Police Office)

What the SCA means for online retailers

The introduction of stricter payment authentication can cost online merchants a lot. Not only will merchants have to shell out a larger sum to upgrade. Additionally, failed payment attempts can have a negative impact on the online store's conversion rate. Online merchants must also note that SCA is not necessary for every online transaction. Electronic remote payments are exempt from the new regulation if the amount does not exceed 30 euros.

How online merchants can prepare

Unfortunately, the number of businesses that have even heard about the change or the regulation coming into effect in September by this point is very small. Only about 25 percent know that the regulation will go into effect on September 14. For this reason, just as with the introduction of the GDPR, hectic and unprepared online retailers must be expected.


So preparation pays off here again. Online retailers should already start dealing with the new changes that the SCA will bring. In this way, stress and possible loss of sales can be avoided. Those who are smart and do not wait until the last printer to implement the changes can face the new regulation in the fall quite relaxed.

Written by


Create new reasons for people to love your brand. Build standout post-sales experiences tailored to your customers. Deliver personalized touch points that grab attention and spark loyalty.

Read more from parcelLab
More from the category Research