Ecommerce has grown hugely with online UK retail sales hitting a 13-year high in 2020, and fraudsters have predictably followed your customers online. Strong Customer Authentication (SCA) is a huge and imminent change to how your customers authenticate themselves when buying from you online. SCA should help drive down fraud and chargebacks, but it will be a huge change for your customers and many merchants. In this article, we will explain what SCA is, exemptions and important deadlines to look out for.
The introduction of SCA completely changes the way in which your UK and European customers prove their identity as part of the payment process and is a requirement of the second EU Payment Services Directive (PSD2).
In the past, your customers could simply enter their card number and CVV. However, for customers attempting to spend over €30, new regulations will require them to provide 2 or 3 acceptable means of identification. These include:
It’s important to understand that SCA will only apply to transactions in the European Economic Area (EEA), where both you and your customer are in the region. If one of these are located outside of Europe, your Payment Service Provider in Europe will be required to use their best efforts to apply SCA.
In addition to the minimum €30 threshold, there are several other scenarios where the requirement of SCA will not apply, such as:
Payments for recurring purchases will only require SCA for the very first transaction. However, if the amount changes, additional authentication will be required.
Your customers will have the option to assign your business to a whitelist of trusted beneficiaries. If your customers decide to whitelist you, they will only need to complete the authentication process once. After they have done so, all future transactions with you will be exempt from the SCA process.
If a transaction has undergone real-time assessment and has been deemed as low-risk, it may be processed without SCA. This decision will be based on the average fraud levels of your customer’s card issuer and they will have the ultimate say on whether SCA will be necessary.
These types of transactions are not considered electronic payments and are therefore exempt from SCA. Typically, these types of transactions would be performed by merchants using Virtual Terminal technology.
When a transaction is initiated by a business rather than a consumer, separate authentication will not apply.
Please note that, while exemptions may be useful, the decision to accept an exemption will ultimately come down to your customer’s issuing bank.
As an online merchant, you will need to ensure that your eCommerce store supports SCA. If it doesn’t, many of your customers’ payments will be declined once SCA is fully implemented. You will also need to choose a card processor that offers 3DS v2.
For the majority of the European Economic Area (EEA) SCA implementation has been a legal requirement since 1 January 2021. The UK deadline was originally 14 September 2019, however this has since been extended to 14 March 2022 by the FCA.