SCA: What is Strong Customer Authentication?

Electronic payments are growing fast as consumers find that cash is less and less convenient for their needs. This growth has led to increased sophistication from fraudsters who try to part us from our hard-earned money, and combatting fraud is a top priority for payment providers and governments.

New legislation is underway to increase the safety of our payments.

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication or SCA is a new security standard that is a part of the Payment Services Directive 2 (PSD2); a crucial piece of legislation in Europe.

SCA protects consumers and businesses from fraud by making it more difficult for a fraudster to make payments from their accounts.

What is changing through SCA?

Through SCA, a consumer or business has to verify their identity in two out of three ways when making a payment.

The three verification options are:

  1. Something they know, such as a secure password or a PIN.
  2. Something they have, such as a mobile device or a secure key token.
  3. Something they are, which means a form of biometric identification such as a facial scan, an iris scan or a fingerprint.

Will SCA impact my business?

If your business accepts payments from within Europe and your business bank account is based in Europe, then your business is in scope for SCA.

You must have a compliant payments process in time for the deadline for implementing SCA; otherwise, you risk your customer’s bank declining payments, which will cause a significant disruption to your business.

When does SCA come into effect?

The new SCA rules launched in September 2019 with implementation planned for 2020 and 2021.

The Financial Conduct Authority (FCA), which is the regulatory body for financial services in the UK, has extended the full implementation date for the UK to 14 September 2021 in recognition of the amount of work that is still required, and due to the disruption caused by COVID-19.

SCA will roll out gradually, with random checks of e-commerce payments taking place from 1 June 2021. To minimise the disruption to your business, check that your payment solutions provider will be ready for SCA within this timeframe.

Will Brexit impact SCA in the UK?

The FCA has stated that the deadline for implementing SCA in the UK will be 14 September 2021. There is currently no expectation that developments with Brexit will change this.

Does Strong Customer Authentication apply to all payments?

Businesses have understandably been concerned about any changes to their payment methods that could lead to buyers abandoning their payments, due to friction points in the process.

However, certain lower-risk transactions are exempt, including:

  • Fixed subscriptions: if you collect a fixed fee from customers regularly, then the first payment will need to be made with SCA, but future payments will not.
  • Low-risk transactions: if the payment provider’s or the bank’s fraud rates for card payments are very low, then they may be granted the option not to apply SCA to some transactions.
  • Low-value transactions: payments below a threshold of €30 are likely to be exempt from SCA unless the exemption has been used five times since the last time the customer provided authentication, or if the total of their exempted payments was greater than €100.
  • Trusted beneficiaries: in the future customers may have the option to whitelist organisations that they trust with their payments, which could remove the SCA on future payments.
  • Sales completed by phone: phone sales are out of scope for SCA purposes, and businesses must mark them as ‘mail order and telephone order’ (MOTO) payments.
  • Corporate payments: specifically, payments for travel services.
  • Merchant-initiated transactions: if your business stores card details with the permission of your customers, enabling you to charge variable amounts at future dates, then these payments are likely to be exempt.

How can I make sure that my business complies with SCA?

The first step to compliance is talking to your payment solutions provider. Check that they offer card machines and other payment solutions that will be fully compliant with SCA and the wider PSD2, regulations.

Your payments solutions provider must have the backing of an established bank who will be ready for the new regulations, and who has sophisticated ongoing processes to protect you and your customers from fraud.

For example, payment experts UTP Group benefit from the excellent fraud processes offered by their bank. On top of this they provide a unique, additional layer of checks and protection for their customers.

Conclusion: get on the path to SCA compliance today

SCA will change the payments landscape and offer a higher level of protection for businesses and consumers.

While the UK’s formal deadline for implementation is not until 14 September 2021, it’s essential to prepare now. Make sure that you are working with a payment solutions provider who can help you to be compliant, and who offers the range of services that will help your business to grow and prosper.

Latest News