What is Strong Customer Authentication?
In this guide, we’ll take a closer look at these new requirements known as Strong Customer Authentication (SCA) and the kinds of payments they will impact.
Finally, we’ll cover the exemptions that can be used for low-risk transactions to offer a frictionless checkout experience.
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments once SCA goes into effect, you will need to build additional authentication into your checkout flow.
SCA requires authentication to use at least two of the following three elements.
- Something the customer knows (e.g., password or PIN)
- Something the customer has (e.g., phone or hardware token)
- Something the customer is (e.g., fingerprint or face recognition)
Starting 14 September 2019, banks will decline payments that require SCA and don’t meet these criteria. (If you would like to read the original SCA requirements, they are set out in the Regulatory Technical Standards or RTS.)
Strong Customer Authentication (SCA), a new rule coming into effect on September 14, 2019, as part of PSD2 regulation in Europe, will require changes to how your customers authenticate online payments.
Card payments will require a different user experience, namely 3D Secure, in order to meet SCA requirements. Transactions that don’t follow the new authentication guidelines may be declined by your customers’ banks.
To prepare for SCA, you should:
- Determine if your business is impacted
- Decide which one of our new SCA-ready products is right for your business
- Make changes before September 14, 2019, in order to avoid declined payments
When is Strong Customer Authentication required?
Strong Customer Authentication will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA.
Recurring direct debits on the other hand are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.
For online card payments, these requirements will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). (We expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.)
If you’re based outside of Europe but a large portion of your sales are to European customers, your payments may also be impacted.
While SCA is not legally required for businesses outside of Europe, we expect a small minority of European banks to require SCA for all payments regardless of where a business is located.
We recommend all businesses with a high amount of European sales prepare for SCA to avoid transactions being declined.
How to authenticate a payment
Currently, the most common way of authenticating an online card payment relies on 3D Secure – an authentication standard supported by the vast majority of European cards.
Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app).
3D Secure 2 – the new version of the authentication protocol rolling out in 2019 – will be the main method for authenticating online card payments and meeting the new SCA requirements.
This new version introduces a better user experience that will help minimise some of the friction that authentication adds to the checkout flow.
Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for businesses to offer a frictionless checkout experience while meeting the new requirements.
Exemptions to Strong Customer Authentication
Under this new regulation, specific types of low-risk payments may be exempted from Strong Customer Authentication. Payment providers will be able to request these exemptions when processing the payment.
The cardholder’s bank will then receive the request, assess the risk level of the transaction, and ultimately decide whether to approve the exemption or whether authentication is still necessary.
Building authentication into your checkout flow introduces an extra step that can add friction and increase customer drop-off.
Using exemptions for low-risk payments can reduce the number of times you will need to authenticate a customer and reduce friction. The most relevant exemptions for internet businesses are:
Low risk transactions
A payment provider, will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s or bank’s overall fraud rates for card payments do not exceed the following thresholds:
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions below €250
- 0.01% to exempt transactions below €500
These thresholds will be converted to local equivalent amounts where relevant.
In cases, where only the payment provider’s fraud rate is below the threshold, but the cardholder’s bank is above it, we expect the bank to decline the exemption and require authentication.
We expect this to be one of the most useful exemptions for businesses and one of the most widely supported by banks.
Payments below €30
This is another exemption that can be used for payments of a low amount. Transactions below €30 will be considered “low value” and may be exempted from SCA.
Banks will, however, need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100.
The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.
Due to the strict limitations of this exemption, we expect the low-risk transaction exemption to be more relevant for most payments.
This exemption can apply when the customer makes a series of recurring payments for the same amount, to the same business. SCA will be required for the customer’s first payment – subsequent charges however may be exempted from SCA.
We expect this exemption to be very useful for subscription businesses and broadly supported by European banks.
Merchant-initiated transactions (including variable subscriptions)
Payments made with saved cards when the customer is not present in the checkout flow (sometimes called “off-session”) may qualify as merchant-initiated transactions.
These payments technically fall outside the scope of SCA. In practice, marking a payment as a “merchant-initiated transaction” will be similar to requesting an exemption.
Like any other exemption, it will still be up to the bank to decide whether authentication is needed for the transaction.
To use merchant-initiated transactions, you will need to authenticate the card either when it’s being saved or on the first payment. Finally, you will need to get an agreement from the customer (also referred to as a “mandate”), in order to charge their card at a later point.
We expect this to be a vital use case for business models that rely on delayed payments, charge variable amount subscriptions, or bill for add-ons.
Industry requirements for how merchant-initiated transactions will work in practice are still being finalised.
When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases.
These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
While whitelisting has the potential to make repeat purchases or subscriptions more convenient for customers, so far the adoption of this feature among banks has been slow.
We expect that it will not be broadly implemented by banks by September 2019, but we will support this exemption for our users when available.
Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO).
Corporate Strong Customer Authentication payments
This exemption may cover payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).
We expect this exemption to have low practical use outside of the travel industry due to its very narrow scope.
The exemption itself can only be requested by the cardholder’s bank, as neither the business nor payment providers are able to detect whether a card belongs in these categories.
What happens if a Strong Customer Authentication exemption fails?
While exemptions will be very useful, it’s important to remember that it’s ultimately the cardholder’s bank that will decide whether or not to accept an exemption. Banks will return new decline codes for payments that failed due to missing authentication.
These payments will then have to be resubmitted to the customer with a request for Strong Customer Authentication.
If your business is impacted by SCA, we recommend preparing for a fallback in case an exemption is rejected and your customer needs to authenticate.
This is particularly important if you charge your customers when they’re not actively in your checkout flow (when they are off-session) and your customer needs to return to your website or app to authenticate.
Businesses and payments impacted by Strong Customer Authentication
Businesses in theEuropean Economic Area (EEA) that accept cards will be affected by Strong Customer Authentication. This regulation applies to transactions where both the business and the customer’s bank are located in the EEA.
Although not legally within the scope of the regulation, we expect a small minority of European banks to require SCA for all payments with their cards regardless of where the business is based.
If you’re based outside of Europe but a large portion of your sales are European customers, we recommend preparing for SCA to minimise the risk of any payment being declined.