Ecommerce has grown hugely with a projected worth of £80,678 million in the UK in 2021 according to Statista, and fraudsters have predictably followed your customers online. Strong Customer Authentication (SCA) is a huge and imminent change to how your customers authenticate themselves when buying from you online. SCA should help drive down fraud and chargebacks, but it will be a huge change for your customers and many merchants. In this article, we will explain what SCA is, exemptions and important deadlines to look out for. Learn more about what SCA means for your customers.
WHAT IS STRONG CUSTOMER AUTHENTICATION (SCA)?
The introduction of SCA completely changes the way in which your UK and European customers prove their identity as part of the payment process and is a requirement of the second EU Payment Services Directive (PSD2).
In the past, your customers could simply enter their card number and CVV. However, for customers attempting to spend over €30, new regulations will require them to provide 2 or 3 acceptable means of identification. These include:
- Something only your customer knows (One Time Password, SMS code, PIN, answers to security questions)
- Something your customer owns (their mobile phone, wearable device or card)
- Something your customer actually is (Fingerprint, retina and iris scanning, face and hand geometry, voice or keystroke dynamics)
It’s important to understand that SCA will only apply to transactions in the European Economic Area (EEA), where both you and your customer are in the region. If one of these are located outside of Europe, your Payment Service Provider in Europe will be required to use their best efforts to apply SCA.
ARE THERE ANY EXEMPTIONS FROM SCA?
In addition to the minimum €30 threshold, there are several other scenarios where the requirement of SCA will not apply, such as:
SUBSCRIPTIONS
Payments for recurring purchases will only require SCA for the very first transaction. However, if the amount changes, additional authentication will be required.
WHITELISTED MERCHANTS
Your customers will have the option to assign your business to a whitelist of trusted beneficiaries. If your customers decide to whitelist you, they will only need to complete the authentication process once. After they have done so, all future transactions with you will be exempt from the SCA process.
LOW-RISK TRANSACTIONS
If a transaction has undergone real-time assessment and has been deemed as low-risk, it may be processed without SCA. This decision will be based on the average fraud levels of your customer’s card issuer and they will have the ultimate say on whether SCA will be necessary.
MAIL ORDER AND TELEPHONE ORDERS (MOTO)
These types of transactions are not considered electronic payments and are therefore exempt from SCA. Typically, these types of transactions would be performed by merchants using Virtual Terminal technology.
CORPORATE PAYMENTS
When a transaction is initiated by a business rather than a consumer, separate authentication will not apply.
Please note that, while exemptions may be useful, the decision to accept an exemption will ultimately come down to your customer’s issuing bank.
HOW CAN MERCHANTS COMPLY WITH SCA?
As an online merchant, you will need to ensure that your eCommerce store supports SCA. If it doesn’t, many of your customers’ payments will be declined once SCA is fully implemented. You will also need to choose a card processor that offers 3DS v2. Use our SCA checklist to make sure you comply with SCA.
WHAT IS THE DEADLINE FOR SCA IMPLEMENTATION?
The extended deadline for implementing SCA was originally 14 September 2021 for the UK. However, the FCA has extended its deadline for implementing SCA for e-commerce transactions to 12 March 2022. This is the latest deadline the FCA expects full SCA compliance for e-commerce transactions.