Stripe's next step is built on strong authentication, compliance
It’s just one part of one regulation in one region that addresses one business practice, but for Stripe, Strong Customer Authentication is a ticket to unlock markets across multiple business types.
“Payment authentication is becoming more important and that trend is to stay,” said Olivier Godement, SCA product manager at Stripe. “You have to make it easy to have good fraud protection without compromising experience.”
SCA is part of the European PSD2 standards, with the authentication piece going into effect in September. PSD2 is a broader rule governing data sharing between banks and third parties to provide consumers with more options and control over financial relationships and transaction flows, so a requirement for more vigorous authentication is just one piece.
SCA can be implemented as dual authentication that can be a combination of a password, device ID or biometric authentication. Dual authentication, “what you know” or “who you are,” has existed for years. But most recently it’s become a way to migrate away from passwords toward a system of ID security that’s more digital and portable.
But for Godement, SCA is much more than a sidebar to a larger law. Everyone will have to bow to SCA in some form as static password-based authentication falls out of vogue, and that means enabling SCA can benefit Stripe’s core business of providing tools for businesses to sell and receive payments online; and any other technology Stripe chooses to put on the stack such as merchant credit or installment payments.
“The scale of SCA is such that any merchant that sells to European customers has to adhere,” Godement said, estimating that could be as much as a million merchants. “That’s 1 million upgrades to the checkout flow that have to be done.”
Stripe’s strategy to compete for those merchants includes an API that tracks the life cycle of a checkout flow and triggers authentication steps when required by regulations or customized fraud rules. Stripe’s API automatically launches authentication flows based on its client libraries and other data.
The company also recently agreed to acquire Touchtech, which built a 3D Secure product that authenticates online card purchases with no passwords or one-time codes, and is particularly geared toward PSD2 compliance for mobile and other e-commerce payments.
Godement is anticipating these tools will be needed far beyond Europe. Australia is creeping tentatively toward PSD2-style rules, and APIs and the free data flow among fintechs, banks and merchants are seen as a key way to reach younger consumers who tend to avoid more formal financial relationships. And large companies such as Microsoft and Mastercard are also pursuing advanced authentication as part of broader merchant automation.
The API and acquisition position Stripe to address bank security, including authentication for online banking logins, lending and bank payment rails. Much like the large-bank IT companies FIS and Fiserv are using mergers to shore up both merchant and bank technology, Stripe is using authentication to bridge the payment connections between consumers, merchants and issuers.
“If the payment uses a bank’s protocols to authenticate a card payment, there is only so much the merchant can do,” Godement said. “If we help the merchant optimize the payment experience and the bank doesn’t have the right technology, it won’t be workable. We want to make sure we have a foot on both sides of the transaction.”
Stripe's core business of enabling payments helped the company draw a valuation of more than $20 billion, but the expansion of international e-commerce and online marketplaces, the larger mergers and the diversification of other fintechs like PayPal and Square require Stripe to broaden beyond payment acceptance.
“With a role on each side of the spectrum, Stripe is now in a unique position to orchestrate and curate all aspects of the SCA checkout experience for its merchant customers,” said Jordan McKee, research director for customer experience and commerce for retail payments at 451 Research. “Ultimately, by adding authentication capabilities for banks, Stripe is aiming to bring its SCA strategy full circle with the goal of further optimizing the checkout flow for its own merchant customers.”
To maximize the potential of the Touchtech deal, there is much work to be done to expand issuer adoption of Touchtech’s technology, McKee said. “However, backed by Stripe's resources and issuer relationships, Touchtech now has much better footing to drive market uptake.”
And given the likelihood of open banking and digital dynamic authentication becoming standard in most developed markets, the combination of merchant and financial identity is a necessity. The data security risk will increase given the amount of information flowing among different parties; and the need to provide tools that can manage collaboration will also spike.
“This move also puts Stripe in a unique position to serve other global markets that are preparing for regulations similar to SCA,” McKee said. “It's also worth considering how Touchtech may complement Stripe Issuing, Stripe’s recently launched issuer processor service.”