Preparing for Strong Customer Authentication (SCA)

Ollie's Photo by Ollie Jackson


Update #1 (12th August 2019): Following concerns expressed by the European Banking Authority about the readiness of businesses to comply with the new requirements, it possible that the original September deadline for SCA may be relaxed or even delayed by as much as 18 months.

The Financial Conduct Authority, UK Finance and the Bank of England are all proposing a new timetable. Despite this, we recommend that you continue to prepare for the 14th September deadline until there is official confirmation of the new timetable.

Update #2 (15th August 2019): The Financial Conduct Authority has confirmed that they 'will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019'. This is providing that there is evidence that a business has taken the necessary steps to comply with the plan.



As of autumn 2019, if your business accepts online payments, you will have to comply with new authentication requirements as part of the 2nd EU Payments Service Directive (PSD2).

In this post we’ll explore what those requirements are, how it will apply to your business and what you need to do to prepare.

Sca Post Intro

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication is the new European regulation that aims to reduce fraud and better protect consumers when they make a remote electronic payment.

It will not apply to cash payments or when a customer uses their card at a POS terminal as these are already secured by entering a PIN number. The new SCA regulation aims to bring that same level of security to online payments.

First agreed back in 2015, businesses within the EU have until the 14th September 2019 to comply. From mid September, to continue to accept payments online, you will need to add methods of authentication to your checkout flow so customers can prove who they say they are before they can initiate a transaction.

From mid September, to continue to accept payments online, you will need to add methods of authentication to your checkout flow.

How will customers authenticate?

Authentication is essentially proving that you (and only you) are authorised to make the payment. There are several methods of authentication and they can be grouped into three categories.

  • Knowledge: Something only the customer knows (for example: a password, PIN or passphrase)
  • Possession: Something only the customer has (for example: mobile phone, smart watch or security token)
  • Inherence: Something only the customer is (for example: fingerprint or facial recognition)

If you take payments online you are expected to implement methods from at least two of the three categories in order to comply. Only once a customer has provided details that cover at least two of the above categories will their payment be processed by the card issuer.

For instance, when paying for goods online you might be asked for a PIN number (Knowledge) AND your fingerprint (Inherence) before the card issuer is satisfied that you are authorised to make the payment.

Does SCA only apply to businesses within the EU?

Strong Customer Authentication will be required for any transaction where both the business and consumer are located inside the European Economic Area (EEA).

However, even if your business is located outside of the EEA, if you take online payments from consumers in the EEA, you may still be subject to Strong Customer Authentication (SCA) and it is expected that you use ‘best efforts’ to meet the requirements.

Irrespective of the outcome of Brexit, SCA will continue to be enforced. So the regulation isn’t likely to be relaxed or reversed in the event the government decides to make up its mind about our future in the European Union!

Even if your business is located outside of the EEA, if you take online payments from consumers in the EEA, you may still be subject to Strong Customer Authentication.

What types of payment does SCA apply to?

In the world of online payments, there are two main categories; A Customer-Initiated Transaction or a Merchant Initiated Transaction (MIT).

Customer-Initiated Transaction:

This is when the customer is present when making the electronic online payment. For instance, entering card details for a one-time purchase from an online shop.

SCA rules apply to all customer-initiated transactions.

Merchant Initiated Transaction (MIT):

A Merchant Initiated Transaction (MIT) is where a business processes a payment using previously stored details - and without the cardholder's participation. For instance, if the same company bills customers the same amount on the same regular date (e.g. for a magazine subscription).

In the event that your business uses recurring billing for a fixed amount, SCA should only apply to the first payment and may not be needed for subsequent transactions. It will ultimately be up to the bank to decide whether authentication is needed for the transaction.

However, if the amount being charged changes, then the SCA procedure will be needed for each payment.

If you use GoCardless, they use paperless Direct Debit mandates (which fall outside of the scope of SCA), so you will not need to implement any additional authorisation methods. GoCardless are fully PSD2 compliant.

Payments below €30

A transaction below €30 is considered to be ‘low value’ and may therefore be exempt from SCA - but you will still need to request the additional authentication.

In the event that the consumer makes five consecutive payments of €30 or under (and after a cumulative total of €150), the cardholder’s bank will request authentication. It is the responsibility of the cardholder’s bank to track the number of times that the ‘low value’ amount has been paid to know when it needs to request authentication.

Contactless Sca
Contactless payments at point-of-sale are exempt from SCA

Are there any exemptions?

Yes. If any of the following apply, you can apply for an exemption.

  • Contactless Payments at POS
  • Card payments over the phone - sometimes known as “Mail Order and Telephone Orders” (MOTO)
  • Low value transactions (under €30 until a cumulative total of €150 is reached)
  • Recurring transactions (kind of) - this one is the most foggy. Payments initiated by merchants for the same amount and on the same regular date are exempt (e.g. subscriptions where the price paid does not vary). Recurring Merchant-Initiated Transactions where the payment amount varies (e.g. utility bills) will need to trigger an SCA procedure.
  • Unattended terminals for transport fares and parking fees
  • Trusted beneficiaries (where a card issuer whitelists a card, which puts the card holder in control of which merchants they trust)
  • Transfers between accounts held by the same person

GoCardless have written a detailed post on this.

Even though you may qualify for exemption, it will still be up to the bank to decide whether to accept or reject transactions.

In the event that a transaction is declined by the bank, the payment will need to be resubmitted to the customer with a request for SCA - so you still need to prepare for it.

How to prepare your business

Your business’ ability to meet the new requirements will depend on what software or payment gateway you currently use to process online payments.

It is expected that the use of 3D Secure 2 will become the most common way of meeting the authentication requirements.

It is expected that the use of 3D Secure 2 will become the most common way of meeting the authentication requirements.

What is 3D Secure?

3D Secure is used by the likes of Visa, Mastercard and American Express to reduce fraud and secure online payments.

It is highly likely you will already have encountered 3D Secure when paying for goods and services online - typically the process involves entering a subset of the characters contained within the password you use for online banking. “Please enter the first, third and seventh characters of your password” - sound familiar?

3D Secure 2 is the next generation of this.

It is being introduced to provide frictionless authentication and to improve the purchasing experience online.

The release of 3D Secure 2 will also make it easier for you to achieve SCA and therefore meet the new requirements.

Many of the popular payment gateway providers have begun to rollout support for 3D Secure 2. They include:

A typical checkout flow that uses 3D Secure (and would be considered to have Strong Customer Authentication) would look something like this:

  1. A customer enters their card details on your website.
  2. Upon submitting their order, the transaction is queried by the bank and the customer is asked to provide authentication - this might include confirming their PIN via their mobile banking app or entering a one-time code sent to their mobile phone.
  3. Once verified, the transaction can be successfully authorised and the order completed.

Making this process as streamlined and as frictionless as possible will be key to ensure that the additional authentication required does not impact on your conversion rate.

If you’re unsure of how the introduction of SCA might impact your checkout flow, Stripe have written a number of different examples in the “Business Scenarios” section of this article.

Gateways 3Dsecure
Popular gateways who are set to support 3D Secure 2

Summary

If you take online payments, you’ll need to make changes to comply with the new EU directive that takes effect on the 14th September 2019.

The EU has been known to introduce what might be considered questionable directives (cookie policy anyone?), but the introduction of SCA is intended to standardise the way that consumers are protected online - and that has got to be a good thing.

Concerns about the security of card details is one of the primary reasons that consumers abandon their basket before checking out, so the introduction of SCA should give customers confidence in purchasing from you and your business. And, with the emergence of facial recognition, voice recognition, iris scanners, and fingerprint readers on the devices we use should mean that the process becomes second nature in no time.

So, whilst the time and potential cost associated with complying with the new EU Payments Service Directive might be frustrating, it will ultimately make the way we pay for goods online safer and more secure.

If you would like our advice or assistance on how to make the required changes to your business in order to comply with the new directive, don't hesitate to get in touch.


Ready to get started on that new web project?
Let's get to work! →