Ecommerce has grown hugely with an expected worth of €717 billion in Europe at the end of 2020, and fraudsters have predictably followed your customers online. Strong Customer Authentication (SCA) is a huge and imminent change to how your customers authenticate themselves when buying from you online. SCA should help drive down fraud and chargebacks, but it will be a huge change for your customers and many merchants. In this article, we will explain what SCA is, exemptions and important deadlines to look out for.
WHAT IS STRONG CUSTOMER AUTHENTICATION (SCA)?
The introduction of SCA completely changes the way in which your UK and European customers prove their identity as part of the payment process and is a requirement of the second EU Payment Services Directive (PSD2).
In the past, your customers could simply enter their card number and CVV. However, for customers attempting to spend over €30, new regulations will require them to provide 2 or 3 acceptable means of identification. These include:
- Something only your customer knows (One Time Password, SMS code, PIN, answers to security questions)
- Something your customer owns (their mobile phone, wearable device or card)
- Something your customer actually is (Fingerprint, retina and iris scanning, face and hand geometry, voice or keystroke dynamics)
It’s important to understand that SCA will only apply to transactions in the European Economic Area (EEA), where both you and your customer are in the region. If one of these are located outside of Europe, your Payment Service Provider in Europe will be required to use their best efforts to apply SCA.
ARE THERE ANY EXEMPTIONS FROM SCA?
In addition to the minimum €30 threshold, there are several other scenarios where the requirement of SCA will not apply, such as:
Payments for recurring purchases will only require SCA for the very first transaction. However, if the amount changes, additional authentication will be required.
Your customers will have the option to assign your business to a whitelist of trusted beneficiaries. If your customers decide to whitelist you, they will only need to complete the authentication process once. After they have done so, all future transactions with you will be exempt from the SCA process.
If a transaction has undergone real-time assessment and has been deemed as low-risk, it may be processed without SCA. This decision will be based on the average fraud levels of your customer’s card issuer and they will have the ultimate say on whether SCA will be necessary.
MAIL ORDER AND TELEPHONE ORDERS (MOTO)
These types of transactions are not considered electronic payments and are therefore exempt from SCA. Typically, these types of transactions would be performed by merchants using Virtual Terminal technology.
When a transaction is initiated by a business rather than a consumer, separate authentication will not apply.
Please note that, while exemptions may be useful, the decision to accept an exemption will ultimately come down to your customer’s issuing bank.
HOW CAN MERCHANTS COMPLY WITH SCA?
As an online merchant, you will need to ensure that your eCommerce store supports SCA. If it doesn’t, many of your customers’ payments will be declined once SCA is fully implemented. You will also need to choose a card processor that offers 3DS v2.
WHAT IS THE DEADLINE FOR SCA IMPLEMENTATION?
The deadline for implementing SCA was originally 14 September 2019. However, regulators across Europe and the UK have extended the deadline, which is now 14 September 2021 for the UK and 31 December 2020 for the majority of the European Economic Area (EEA).