Strong Customer Authentication: what ecommerce businesses need to know
Strong Customer Authentication (SCA) is a security requirement from the European Union for contactless, online, and mobile payments. Strong Customer Authentication is part of the revised Payment Services Directive (PSD2), developed to improve the existing one-time-password (OTP) notification system. Asking customers to authenticate their purchase with a TAN or SMS confirmation made sense 10 years ago, but electronic payments technology has moved on. And fraudsters have found loopholes. The PSD2 directive requires two-form identification at check out. The authentication burden is on the customer’s bank, but it’s your responsibility to build in the processes for the checks as an online business. So how will this new authentication requirement affect your business? Will the fraud reduction be worth more friction at checkout? Let’s take a look.
When did Strong Customer Authentication come into effect?
The European Banking Authority approved SCA in 2019, however, the new regulation wasn’t enforced for ecommerce in the EU until 1 January 2021. In the UK, the regulation was applied to face-to-face payments on 15 September 2021.
What is two-form identification at checkout?
Strong Customer Authentication requires that customer authentication must include at least two of the following elements:
- Something only customer knows
- Something only the customer owns
- Something only the customer has
Something only customer knows
This can be a password, pin, or an answer to a specific question. This is most often handled by an existing password or a 4- to 6-digit number sent by text.
Something only the customer owns
Examples include a mobile phone, token generator, card reader, desktop, tablet, or any other authorised device. This part of the check is done without active input from the customer.
Something only the customer has
In essence, this is some sort of biometric data. Face ID or fingerprints are a good example. Strong Customer Authentication requires that you meet the two-factor authentication conditions to help reduce the likelihood of fraudulent activities. For instance, it helps keep sensitive customer data secure and private from external parties.
When does Strong Customer Authentication apply?
Strong Customer Authentication (SCA) is triggered when a customer initiates an online transaction, and both the customer’s bank and your bank are located within the EU or the UK. If you are refunding money to a customer, for example, SCA does not apply because the transaction has been initiated by the business. If your customer’s bank is located in the US and your bank is in the EU (or vice versa), then SCA also does not apply.
What transactions are exempt from Strong Customer Authentication?
The EU is aware that requiring additional steps for an online purchase introduces friction during a sensitive part of the sales process. To help reduce this friction, they have made some exceptions to the SCA rules. The following transactions are exempt from SCA:
A well-established payment provider may be allowed to calculate the fraud risk for a transaction and determine whether to enable SCA or not. In general terms, the exemption requires that the level of fraud the payment service provider reports must be lower than the reference fraud rates throughout the EU for the same type of transactions. Other factors in the calculation include the transaction amount being less than €500, and the behaviour and geographic location of the customer as it relates to the normal behaviour for that online payment method.
It’s important to know that this assessment is done by the payment service provider and has nothing to do with the health or profile of your business.
If the customer has made fewer than five payments in the last 24 hours or if the sum or the payments in the last 24 hours is less than €100, it is usually considered exempt.
When you bill your customer monthly via credit or debit card, SCA is only applied for the first payment. If the amount changes each month, then SCA may be applied. Recurring payments are usually invoices for regular services, subscriptions or instalments. Recurring payments managed through SEPA direct debit have their own security procedures and are completely separate from SCA protections.
If your customer uses a commercial credit card, meaning one that is issued by another company’s business account, then any transactions will likely be exempt since PSD2 doesn’t apply to B2B purchases.
How does SCA work with digital wallets?
Strong Customer Authentication allows for fast and secure payments with digital wallet options like ApplePay and Google Wallet. Remember, a transaction needs to meet only two out of the three SCA requirements to work. Since digital wallets are usually used on mobile phones or tablets, which also have some sort of FaceID or fingerprinting capability, two of the three requirements are already met. It doesn’t matter if the customer chooses a credit card or a credit debit card to pay. As long as their bank allows that card to be registered with ApplePay or Google Wallet, they’re good to go.
How do you implement SCA?
You are obligated to comply with the new SCA requirements if these criteria apply:
- Your business is located in the European Economic Area, or you make payments on behalf of connected accounts based in the EEA
- Your customers are in the EEA
- You accept credit or debit cards
The easiest way to do that is to use an SCA-compliant payment gateway, such as Mollie.
If you’re working with a custom payment gateway, your developers will need to make sure that they’ve added the additional authentication layers to your site’s checkout flow. The extra checks allow banks to cross-check customers’ information through the two-step customer identification process.
To discover more relevant tips for keeping your ecommerce payments secure and compliant, reach out to Mollie. Sign up today and start offering secure payment methods in your ecommerce store.