Strong Customer Authentication, also known as SCA, is a new regulation that requires internet businesses to apply multiple ways of verifying clients’ identities
14 September 2019 is the day when the new regulation comes into force. We’ve already explained what PSD2 is and how it is supposed to work.
Now, PaySpace Magazine will explain what SCA is, and what internet businesses should know about the new regulation.
What is SCA?
Strong Customer Authentication, also known as SCA, is a new regulation that requires internet businesses to apply multiple ways of verifying clients’ identities.
In other words, it is a requirement related to PSD2 (European Revised Directive on Payment Services), which implies that merchants have to use two of the three independent authentication methods while accepting online payments. Thus, retailers will be able to determine that clients are who they say they are.
As we’ve mentioned above, now you’ll have to use at least two of the three authentication methods:
- Something the client knows (password or PIN)
- Something the client has (for example, phone)
- Something the client is (fingerprint, facial recognition, etc.)
Therefore, it means that banks will have to decline transactions (that require SCA) that do not meet those particular criteria.
Nevertheless, with the permission of the EBA (European Bank Authority), some European Economic Area states have announced they will probably delay the implementation of the new regulation for a number of reasons.
The official wording
According to the Official Journal of the European Union:
When is it required?
SCA primarily will be applied to “customer-initiated” online payments within Europe. Apparently, the new requirements will be extended to the majority of card transactions and all bank transfers. When the regulation comes into force, they all will require Strong Customer Authentication. On the other hand, recurring direct debits will not require SCA since they are considered to be “merchant-initiated” payments. Furthermore, in-person card payments will not be affected either.
SCA will concern online card payments only in case when both the merchant and payer’s banks are situated within the EEA (European Economic Area).
Presently, 3D Secure is the most popular method of authentication of online payments. A large number of European cards supports this standard. If you face 3D Secure, it means you will be obliged to implement an extra step after the checkout. Normally, cardholders have to provide additional data to complete payment. For example, it can be a one-time code (SMS), fingerprint, or facial recognition (usually implemented via a mobile application of a customer’s bank).
In 2019, the new standard called 3D Secure 2 was also introduced. It is a new version of good old 3D Secure, and it meets SCA requirements.
This new version introduces a better user experience that will help minimize some of the friction that authentication adds into the checkout flow.
Let’s recall how PSD2 affected the market:
PSD2 at a glance
- Update of First Payment Services Directive (PSD1) driven by continual rise of eCommerce and technological innovation in the payments sector.
- PSD2 came into force on 13th January 2018.
- PSD2 consists of 112 articles and 11 mandates (EBA was asked to examine these special points by the regulators).
- These mandates included SCA info and guidance about exemptions and challenges.
PSD2: Key implications for merchants
Creation of PISPs – Such service is able to initiate a credit transfer on behalf of account owners (digital or card-based).
Creation of AISPs – This service is able to collect and consolidate data across one or more deposit accounts.
Limited surcharges – Merchants will not be able to surcharge payment methods with regulated interchange.
SCA – Obliges merchants to use at least two of the three authentication ways for the majority of electronic payments (including exemptions).
3-D Secure – eCommerce merchants will need to integrate dynamic authentication tools (for example, 3D Secure 2.0).