Stripe acquires Touchtech, updates APIs to prep for strong customer authentication in Europe
Stripe, the payments powerhouse that is now valued at $22.5 billion, has made an acquisition to help it gear up for new regulations in Europe that will be rolled out later this year to improve security in online transactions. It has acquired Touchtech Payments, a startup out of Ireland that works with banks to help them build and manage Strong Customer Authentication, a verification process that will typically require customers to provide two different forms of authentication from card holders in order to process transactions. SCA will be required on most transactions in Europe from September 14 of this year.
Alongside this, Stripe itself is updating its APIs, partly in line with these changes. This will include a new default payments API, a new checkout, and upgraded billing.
The financial terms of the acquisition are not being disclosed. Touchtech had raised less than $500,000, according to Pitchbook data, and it will work out of Stripe’s offices in Dublin.
SCA is part of PSD2, a wider payments directive that has been getting implemented across Europe. The basic idea is that, from September, people buying items will be required to provide two forms of verification when making online transactions — for example entering a code from their phones or another connected device like a wearable; a biometric scan; or a separate PIN. But there are also a number of exceptions — for example, purchases under €30 and recurring billing around subscriptions are both exempt, as are transactions with merchants that a customer might add to a white list. That makes putting SCA in place and running it quite complex.
John Collison, Stripe’s co-founder and president, said that a similar directive put in place in India had a chilling effect on the market after it wasn’t handled well.
“There was a 25 percent drop in sales overnight when the changes came into effect in India,” he said in an interview. “So we think SCA is a huge deal. It’s European-wide, and not an option. People are sleepwalking into it, and it’s not getting as much dialogue as it merits.”
Interestingly, the acquisition will mark an interesting change for Stripe, which has been built on connections with merchants and other customers that take digital payments for goods and services: Touchtech interfaces with banks and others that handle card payments — meaning it will be the first time that Stripe is developing a service that is not merchant-facing, but bank-facing. Collison said that this does not mark a bigger change in Stripe’s strategy, but more a consequence of the complexity that will need to be handled something that banks and cardholders, not merchants, will need to address. “Don’t read too much into this!” he said to me.
Touchtech’s current customers include so-called “challenger” banks like N26 and fintech startups like Transferwise, so it will be interesting to see how and if aligning with Stripe will widen that scope to cover more incumbent providers.
“We have broad ambitions for Touchtech,” Collison said.
The updates to Stripe’s APIs, Collison said, are mainly coming to account for SCA and the triggers it will effect for verification, and also how these will impact other parts of the payment sequence, such as how payments will work with Apple Pay and Google Pay. Stripe notes that it is not mandatory for those using Stripe’s current API’s to update immediately, although those doing business in Europe will need to eventually anyway. “When major regulatory changes are introduced in a new market covered by Stripe, the Payment Intents API will allow merchants to upgrade their checkout flows with little-to-no disruption, significantly reducing the burden of migrations for merchants,” Stripe notes.
The checkout, meanwhile, will also now automatically handle SCA requirements for merchants, Stripe said. It will be customizable to account for repeat versus one-time purchases.
The upgrade to the billing, Stripe said, will now automatically identify which purchases will require SCA and trigger the subsequent scripts. This will mainly impact those businesses that take recurring payments, for example for subscriptions.
Longer term, while this is a European directive, other countries such as Mexico and Australia are also considering similar regulations. With fraud a growing problem, it’s likely that this isn’t the end of the story for how customers, banks, merchants and companies like Stripe that have traded on their simplicity handle adding more tools like this underneath the hood.