Strong customer authentication-91.5 billion € turnover at risk

A guest contribution from CMSPI

After a crisis-ridden year for European retailers, January 1, 2021 stands like a sword of Damocles over e-commerce. According to CMSPI, an independent payment consultancy up to €91.5 billion sales in Europe at risk, €9.1 billion of which in Germany. A mandate designed to reduce credit and debit card fraud can have a devastating effect on trade if action is not taken quickly – ironically, almost a hundred times the annual amount of card fraud. This figure excludes transactions made with digital wallets such as Apple Pay or PayPal, which have their own SCA-compliant solutions that cause significantly less friction at the checkout.

Strong customer authentication - €91.5 billion turnover at risk in Europe
Over $91 billion in sales are at risk across Europe, according to the CMSPI

Strong customer authentication

Starting in January, numerous issuing banks will have to fulfill the mandate for strong client authentication. This is an EU banking regulation designed to make online payments more secure. The technology used for this is 3D-Secure Version 2.X, an authentication protocol developed by the dominant card systems, which merchants wishing to accept online card payments must support.

The customer must identify himself by two of three identification methods – knowledge (e.g. PIN, password), inherence (e.g. face ID, fingerprint) or possession (e.g. mobile phone) – in order for the transaction to be authenticated.

Consumers associate faults with the retailer himself

The 3DS 2.X technology is still relatively new and unproven. It causes considerable frictional losses for online trading and, according to the CMSPI study, extends checkout processes from 60 seconds to two minutes, which has a significant impact on the customer experience. Tests show that 26 percent of 3DS2 transactions fail, compared to single digit failure rates without this technology.

Small retailers may not have sufficient resources to optimize processes and thus lose revenue share to larger retailers.

Many issuer banks in Germany are not yet ready

The technology is currently only offered by 60% of German issuer banks and this figure has not improved since August. This gives German retailers 1.5 months before the deadline little opportunity for valid testing. Although German retailers are doing their best to introduce the technology as quickly and smoothly as possible, a strict introduction from 01.01.2021 onwards could have devastating consequences.

Move or not move, that is the question here

In a letter to BaFin, the German Retail Association (HDE) demands an orderly transition to strong customer authentication. “We must first get customers used to strong 2-factor authentication. The BaFin’s proposal for a staggering of amounts over a period from January to March offers a good basis for this”, says HDE payment expert Binnebößel.

“First we have to get the customers used to the strong two-factor authentication.”

“If the legal requirement takes effect hard from January 1, 2021, there will be frictions that cannot be assessed so far. Customers will migrate to large providers, choose an alternative payment method with a higher risk or, in the worst case, refrain from purchasing. Banking supervision and politics have it in their hands to mitigate the consequences.

On the other hand, it seems that the industry needs the pressure of a deadline to push through changes and prepare properly. “Both as a payment person and as a private individual, I am clearly in favour of SCA and I don’t think at all about another and further postponement. There was enough time to implement the requirements. André Moeller, Payment Professional. An opinion that is absolutely understandable. However, since COVID-19 currently demands everything from merchants in Germany, a different approach may be necessary.

Payment expert Laura Treude from Douglas would at most approve of a postponement to January/February, as the deadline is “very close to the peak season for traders” and thus the waiting bubble in which one currently finds oneself is finally being dissolved. Only then can an optimisation based on new findings be made. Should this approach be correct? Wouldn’t it have been much better if merchants could start with an optimised solution as early as January and different deadlines applied to different players in the payment chain?

Exemptions than the Holy Grail?

An opt-out strategy to bypass 3DS2 for certain transactions will be essential for the customer experience at checkout and for e-commerce merchant revenues in 2021:

Low risk transactions

Low risk transactions are excluded from SCA. Merchants can decide whether to authenticate transactions with 3DS based on their own fraud ratings or to use this exception, giving issuer banks the final opportunity to confirm the exception. Furthermore, risk scoring of transactions is carried out at PSP level and is not based on the risk profile of the merchant itself.

Strong customer authentication - €91.5 billion turnover at risk in Europe

This is important to understand because a merchant can be excluded from this exception (and is more likely to lose sales as a result) because suppliers use too conservative control mechanisms to keep their fraud rate as low as possible.

low value transactions

Transactions under 30 € are excluded from strong customer authentication. Similar to contactless payments, there is an overall limit: the total amount for this exception may not exceed 100 € within 24 hours and strong customer authentication is required for every 5th transaction.


Customers can whitelist companies to their issuers and avoid strong customer authentication for these companies in the future.

Subscriptions and recurring transactions

Recurring transactions with a fixed amount only use Strong Customer Authentication at initial setup. If the payment is initiated by the merchant, it does not fall within the scope of Strong Customer Authentication, which makes recurring payments with varying amounts possible. However, the card must also be strongly authenticated when it is deposited or the first payment is made.

An option strategy will become increasingly important for e-commerce merchants in the battle for optimized conversion rates and will separate the wheat from the chaff from 2021 onwards.

CMSPI information:

Cost & Risk Reduction | Approvals & Fraud | Independence

CMSPI is the world’s leading payment consultancy for merchants. Our team of experts works daily to empower the retail community with insights, expertise, benchmarking and analysis to increase the value of their payment chain.

Nicole Nitsche
Nicole Nitsche ist studierte Theaterwissenschaftlerin und hat mehrere Jahre als Regieassistentin beim Thalia Theater Hamburg gearbeitet. Danach war Nicole Leiterin der Presse-und Marketingabteilung eines Hamburger Musiklabels. Zu ihren täglichen Aufgaben zählten dort, neben dem Verfassen von Pressetexten, die Umsetzung und... mehr