What is strong customer authentication?
Strong customer authentication (SCA) is a regulatory standard initiated in 2019 under the second Payment Services Directive (PSD2) in Europe. SCA is aimed at protecting consumers by setting standards for authenticating online payments. SCA enforcement was set to begin in 2020, though implementation is expected to continue throughout 2021.
Here’s everything you need to know about strong customer authentication, what it means for businesses, and its timeline for implementation.
What is strong customer authentication?
Strong customer authentication is a new regulation designed to prevent online transaction fraud. It does this by forcing banks to require additional user authentication before authorizing payments.
Most merchants see SCA requirements as synonymous with two-factor authentication, but it’s more complicated than that. Banks and payment service providers must have customers authenticate using at least two of three factors:
Something in their possession (such as a mobile phone or hardware token)
Something they know (such as a PIN number or password)
Something that’s a part of them (such as their fingerprint or face recognition)
This level of authentication makes it more difficult for criminals to make unauthorized purchases using the identity of legitimate account owners. Once the implementation deadline is passed, card issuers must decline any transactions not verified using 2 of the methods mentioned above.
Which Businesses Are Affected By SCA?
SCA is a European regulation, so all businesses based in the European Economic Area (EEA) will need to comply, assuming they charge cards online and the cards are also issued within the EEA. The UK originally was considered part of this category and had its own timeline for SCA compliance, however, since Brexit they no longer come under the European Banking Authority.
Businesses based in the US or other countries around the world that process transactions from cards issued in the EEA are not subject to SCA rules. However many are choosing to update their current authentication process to avoid potential transaction declines from banks in Europe or to simply minimize the impact of fraud attempts on their business.
Affected businesses shouldn’t ignore the SCA requirements, or they could end up with numerous declined transactions and even lose business as a result.
Exemptions to the Regulation
Certain types of transactions could be considered “low-risk” and therefore exempt from requiring Strong Customer Authentication. If your business processes transactions that meet the exemption requirements, then you can request an exemption from the issuer, who will decide whether or not to grant it.
Here are the different transaction types that can be exempted:
Corporate transactions — These are any transactions made between two corporations, as opposed to a corporation and a consumer.
Low-risk transactions — Both payments issuers and acquirers can use a Transaction Risk Analysis (TRA) to determine if transactions are considered to be low risk. A TRA is based on transaction value and fraud rate.
Low amount transactions — A transaction can qualify for an exemption if the purchase is valued below €30, unless a customer makes five consecutive transactions with a combined value of more than €100 (in which case SCA applies).
Recurring subscriptions — When customers make a series of recurring payments for the same amount to the same business, only the initial payment needs to meet SCA requirements. Merchant-initiated transactions using saved cards for non-present customers may also qualify for this exemption.
When Will SCA Be Enforced?
Strong customer authentication was originally set to begin full enforcement by the 1st of January 2021. However, the pandemic created challenges, including greatly increasing the number of businesses making eCommerce transactions that fall under SCA. This has led to the timeline for compliance stretching further into 2021.
Some of the different countries in the EEA have set their own timeline for full compliance with SCA, and enforcement will ramp up in different areas to reflect this in 2021. Here are the current timelines:
Rest of the EEA
How to Stay SCA Compliant
Getting a head start on complying with Strong Customer Authentication is a good idea, as enforcement deadlines are on the horizon. More security regulations are also expected to arise in countries around the world, making early compliance a smart choice for businesses located outside of the EEA as well.
Here’s what you can do now to make sure your business stays SCA compliant:
Use 3D Secure Protocol
3D Secure is a protocol that serves as an additional security layer for credit and debit transactions online. The protocol determines if the cardholder is enrolled in 3D Secure and if authentication is needed. It relies on shared data from banks, card networks, and merchants to verify payments. Using the latest version of 3D Secure protocol on your eCommerce website can help you stay SCA compliant.
Apply For Exemptions
If a large portion or all of the transactions processed at your business potentially qualify for an SCA exemption, you can apply to receive one. It’s up to the issuer to decide whether or not to allow your exemption. Even if your transactions meet the definition, the issuer is still allowed to reject your request because of their own fraud prevention rules.
Applying for exemptions can minimize friction in customer checkout, however, it also comes with more liability risk for merchants. If you receive an exemption and a transaction ends up being fraudulent, you’re liable for the chargeback. With that in mind, it’s best to explore other options that optimize the customer checkout experience while also following SCA regulations.
Use Online Banking Payments
Trustly offers Online Banking Payments as a mobile and eCommerce payments solution that meets SCA regulations and improves consumer checkout experience simultaneously. Online Banking Payments involves customers logging into their bank accounts and entering their credentials from memory, which complies with SCA. This approach also works well for merchants as it reduces friction while simultaneously enhancing security.
Online Banking Payments make it possible for merchants to accept a wider range of payment options, as well as use contactless payments, stored value, and digital-wallet transactions. Trustly also maximizes security by using tokenization to encrypt sensitive payment data, making it useless for fraudsters.
With guaranteed payments and high approval rates, Online Banking Payments are the one solution to benefit both merchants and customers. Most importantly, Trustly’s technology is designed to evolve and improve, so you can always count on keeping up with the latest regulations from SCA, PSD2, or other legislation.