On September 14, 2019, strong customer authentication (SCA) became a requirement for companies dealing with electronic payments in Europe. The requirement is relevant to every business in the European Economic Area (EEA), Monaco, and the UK processing online payments and is part of the revised payment service directive (PSD2).
SCA aims to add an extra layer of security to online payments by ensuring more accurate and fraud-proof user authentication. In this guide, we’ll provide the definition of SCA, review the requirements for SCA, its compliance, and exemptions.
What is strong customer authentication (SCA)?
Strong customer authentication (SCA) is a requirement of the second payment service directive (PSD2) for all EEA, Monaco, and UK payment service providers. The requirement ensures that all electronic payments are performed securely using two-factor authentication (2FA).
The initial definition of strong customer authentication may appear complicated, but it can also be explained in a simple way. In short, SCA means that payers in Europe need to perform extra authentication steps when purchasing goods or services online.
The SCA requirement is part of the European PSD2. We have prepared an extensive guide on this topic, where you can find the PSD2 explained in detail and familiarise yourself with all the essential related information.
The required authentication must include two of three types of information:
- Knowledge: something a person knows. For example, a password, a pin code, a sequence, etc.
- Possession: something they own, such as a mobile phone, tablet, computer, etc.
- Inherence: something they are. For example, a fingerprint, facial features, voice patterns, etc.
The 2FA verifies users’ identities more accurately than the static passwords that banks previously used.
How does SCA work?
SCA works to authenticate a user's identity, providing better protection for consumers.
With some exceptions, the SCA is applied each time:
- A user accesses their bank account online;
- A payer initiates an online payment;
- A user performing any action via a remote channel may expose themselves to an online fraud risk.
From the business perspective, SCA may differ depending on the payment method. 3DS, or 3D Secure protocol is mainly used with credit and debit cards, while mobile wallets and other local payment methods often provide their own authentication step, which is SCA-compliant.
What is SCA compliance?
In order to comply with PSD2 requirements for SCA, businesses must integrate multi-factor authentication. There are two main ways to become SCA-compliant. Companies can either implement the 3D secure protocol or choose to integrate alternative payment methods.
The 3D secure protocol is developed to carry out extra security steps to protect cardholders while making online payments. SCA via 3D secure requires an action from the payer to confirm that it’s them who are making the payment. The confirmation may be performed by entering a code received via an SMS or a mobile application provided by the card issuer.
One of the main features of the 3D secure protocol is a liability shift. Once a user completes the authentication, not the merchant but the issuing bank becomes liable for any fraudulent chargebacks.
Alternative payment methods
Companies looking for SCA-compliant payment options can integrate the so-called local payment methods or digital wallets.
Local payment methods are payment options popular in a specific geographic location. Choosing a reliable online payment solution can take off a burden from merchants of integrating different banks into the payment flow and ensure SCA compliance.
Integrating local payment methods can also improve a merchant’s payment flow, create a better checkout experience for consumers, and increase conversion rates.
What are the SCA requirements?
SCA is required for all EEA, Monaco, and UK electronic payments. Both the merchant’s business and the card holder’s bank need to be within this area. The SCA requirement ensures that online payments are made with multi-factor authentication, which increases the security of online transactions.
Some transactions may be exempt from SCA. We’ll review the main SCA exemptions in the following section.
We’ve mentioned that SCA applies to most online payments in Europe. However, some transactions are exempt from the PSD2 mandate. We listed the most relevant SCA exemptions:
Transactions that are considered low-risk can be exempt from SCA. The risk is calculated based on the transaction risk analysis (TRA) and depends on the fraud rate thresholds set by the issuer or acquirer.
If the acquirer considers the transaction to be low risk, they can request a TRA exemption. If the exemption is granted, consumers may be able to skip the SCA for their transactions, depending on the amount.
Transactions lower than €30 and cumulative payments under €100 charged on the same card do not require SCA.
This means that payments below €30 can be transferred without authentication, but the issuing bank will track how many payments are made using this exception. The payer will be prompted to perform an SCA if the total amount of payments comes to over €100, or every five transactions.
Recurring transactions of a fixed amount can be exempted from the SCA after the first transaction, which will require authentication. However, if the payment amount changes, the payer will have to perform the SCA for every new amount.
A payer can choose trusted merchants and whitelist them as trusted beneficiaries. Once merchants are whitelisted, the cardholder can pay them without the SCA, regardless of the amount.
SCA is a requirement that has been introduced to ensure better security for online payments and applies to every business when the merchants’ and their clients’ issuing banks are in Europe. Companies must integrate multi-factor authentication into their payment flow to comply with SCA.
Businesses can use a 3D secure protocol to comply with SCA or integrate local payment methods. SCA applies to all online payments, including web and mobile payments. Some transactions are exempt from the SCA, including low-risk, low-value, and recurring payments.
If you’re interested in learning more about PSD2 or open banking, read our other blog posts. We’ve prepared an extensive guide, where you’ll find open banking explained.