Is your business ready for Strong Customer Authentication (SCA)?
GDPR was the big thing for 2018, now it’s time for the second Payment Services Directive (PSD2).
On the 14th September 2019, new requirements for authenticating online payments will be introduced in Europe as part of the PSD2. Regardless of the outcome of Brexit, it’s expected that the SCA regulation will be enforced in the UK.
So what exactly does that mean for businesses trading online? We’ll cover everything you need to know about the new European regulation…
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a new regulatory requirement aimed at reducing fraud and to make online payments more secure.
In order to accept customer payments online once SCA goes into effect, you will need to build additional authentication into your checkout process. SCA requires authentication to use at least two of the following three elements.
Card payments will require a different user experience, namely 3D Secure, in order to meet SCA requirements. Transactions that don’t follow the new authentication guidelines may be declined by your customers’ banks. All transactions will require 2 factor authentication, which means alongside the card details the customer will also need to validate one of the following:
How will it affect your online payment process?
From the 14th September 2019, banks will decline payments that require SCA and don’t meet these criteria. To accept payments, you will need to build additional authentication into your checkout flow, through one of the mentioned methods above.
Are there any SCA exemptions?
Although the SCA requirement is intended for all online transactions, there are some exemptions. But don’t get too excited; they only apply to ‘low value or low risk transactions’.
So what are low value & low risk transactions?
Transactions below €30 will be considered “low value” and may be exempted from SCA. Banks will however need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication, or if the sum of previously exempted payments exceeds €100. The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.
Low risk transactions are also exempt from SCA. The ability for a payment to be considered low risk is based on the average fraud levels of the card issuer and acquirer processing the transaction.
What about subscriptions or recurring transactions?
Subscription or recurring transactions with a fixed amount will be exempt from the second transaction onwards. Only the initial transaction will require SCA. If the amount changes, 3D Secure will be required for every new amount.
This will pose a challenge to ‘variable amount’ recurring businesses in which the value changes over time. For example, some products have a variable cost per period based on usage. Thankfully, these types of transactions are considered ‘merchant initiated transactions’. These are exempt from PSD2 and SCA requirements.
Most subscription payments will not need SCA since most are initiated by the merchant and not the cardholder, and because there is an exemption for static amount recurring payments.