Strong customer authentication guide

If your business receives online payments from customers in Europe, you must comply with the Strong Customer Authentication (SCA) requirements. Not sure where to start? Our guide will tell you everything you need to know about SCA, how it works, and why it’s important for your business.

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication is a requirement for businesses processing online payments in Europe. Introduced in 2019 as part of the revised Payment Services Directive (PSD2), it’s designed to increase payment security and reduce the risk of fraud.

SCA requires shoppers to complete extra levels of authentication when paying online. All businesses processing online payments within Europe must comply with PSD2 and therefore implement SCA measures..

This applies to online payments made in:

  • The UK
  • The European Economic Area (EEA)
  • Monaco

PSD2 and SCA apply when both the business’s payment service provider and the customer’s bank or card provider are located within the regions mentioned above. However, when one of these is based outside of Europe, the requirement is for the payment provider to use their ‘best efforts’ to adhere to SCA regulations.

With the implementation of GDPR, it’s likely that other countries will begin to adopt similar payment security measures. For businesses that regularly trade with Europe, it is probably worth preparing to comply with similar regulation as early as possible.

What is PSD2?

Also known as the Revised Payment Services Directive, PSD2 is an updated version of the European Payment Services Directive, offering a more secure payment landscape across the EEA.

The original Payment Services Directive (PSD) was implemented by the European Commission to create a simplified single market for payments in Europe, as well as offering greater transparency, more information, and stronger refund rights for consumers. The PSD is the legal framework for all payment providers operating within the EEA.

With many developments in ecommerce and fintech over recent years, the European Commission proposed a revision of this framework, known as PSD2, in 2013. Along with implementing robust regulatory processes for new and emerging payment methods and providers, PSD2 opens the sector up to innovative technologies such as open banking by allowing financial institutions other than banks to access banking data and accounts.

While the initial deadline for PSD2 to go into effect was 14 September 2019, this was pushed back to 31 December 2020 due to the complexities of implementing it in dozens of countries that each have their own purchasing habits, preferences, and laws.

How does Strong Customer Authentication work?

Strong Customer Authentication helps to minimise the risk of fraud by asking customers to complete extra steps when verifying their identity when making an online payment. It’s a type of two-factor authentication that uses multiple dynamic data points instead of asking for a single password which could be easily guessed or hacked.

The SCA guidelines outline three categories of authentication. To be compliant with Strong Customer Authentication requirements, a business’s verification process must ask users to satisfy two out of the three categories before a payment can be completed.

The authentication categories are:

  • Knowledge
  • Possession
  • Inherence

Let’s look at each of these in more detail.

Knowledge

The knowledge category covers something that only the user knows. The verification process should ask them to enter information that only they know.

This may include:

  • PIN
  • Password
  • Passphrase
  • Secret answer

This is one of the more standard methods of verifying a user’s identity but becomes much stronger when combined with one of the other two categories.

Possession

The possession category covers something that only the user has. It asks the user to interact with a device that they own or have a personal item on hand that is registered to their account.

This may include:

  • Smartphone
  • Smartwatch
  • Debit or credit card
  • Token

Taking an element of the verification process offline makes it more difficult for fraudsters to take advantage of data gained through hacking or a password leak.

Inherence

The inherence category relates to the payee’s unique physical attributes.

This may include:

  • Fingerprint
  • Facial recognition
  • Voice pattern
  • Iris scan

These biometric authentication methods are much harder to bypass than static password input, offering a more robust level of security.

What are the different types of Strong Customer Authentication?

There are two main types of SCA that are implemented depending on the payment method used.

3D Secure

3D Secure is most commonly used for securely processing debit and credit card transactions online. The first iteration, known as 3DS1, redirected customers to their bank to authorise a payment by entering a password or confirmation code. While it improved security, it didn’t offer a streamlined checkout process and often led to customers abandoning their purchases.

The improved version, 3DS2, uses a wider range of authentication processes, including biometrics, to make payments more secure without moving out of the native app. This is particularly useful for transactions on mobile devices, where switching between different websites and authorisation prompts can be complicated.

Local payment methods and e-wallets

Allowing customers to use their preferred payment method can improve their experience and entice them to return. There are many different local payment methods and digital wallets in use throughout the EEA with SCA compliance built in, providing a secure and efficient payment process that works for businesses and consumers alike.

As well as globally recognised payment methods such as PayPal and Klarna, individual countries within the EEA have their own preferred local payment methods, such as:

  • EPS (Austria)
  • KBC/CBC (Belgium)
  • PostePay (Italy)
  • Giropay  (Germany)
  • Cartes Bancaires (France)
  • iDEAL (Netherlands)
  • Przelewy24 (Poland)

International e-wallets such as Apple Pay and Google Pay are also popular options for making secure, convenient purchases without the need to carry cash or even a physical payment card. Implementing these types of payment methods can help businesses to stay compliant with PSD2 while making the checkout process easy for their customers.

SCA out-of-scope exemptions

Certain types of transactions are considered outside the scope of the PSD2 mandate and therefore don’t require Strong Customer Authentication.

Phone and mail transactions

Any payments taken by a business over the phone or via mail are exempt from SCA. These types of payment, known as MOTO transactions (mail order and telephone order), aren’t considered to be electronic payments and therefore don’t need to comply with PSD2.

Merchant-initiated transactions

Merchant-initiated transactions, or MITs, are taken from a customer’s saved payment details on an arranged date. The first payment will need to be authenticated, and customer consent obtained for the business to process future transactions on their behalf. MITs can be used to take payment without SCA for products or services with a variable cost, such as bills.

Inter-regional transactions

Where the card issuer or acquirer is not based in the EEA, UK, or Monaco, the transaction is considered out of scope. This means that European businesses don’t need SCA to accept payments from customers outside of Europe.

Strong Customer Authentication exemptions

There are some instances where the SCA process can be inconvenient for consumers, and additional authentication steps aren’t required.

Low-risk transactions

Card issuers and acquirers may use transaction risk analysis (TRA) to determine the risk associated with a payment. They may request an exemption to skip SCA for a particular low-risk transaction that would otherwise be in scope. This is only possible if the acquirer or issuer has low enough fraud rates.

Low-value transactions

Transactions under €30 don’t require SCA. However, the issuing bank will keep track of cumulative transactions attempted on the same card. If the total amount is higher than €100, SCA will be required. Additional security checks will also be required after every five transactions, even for low-value payments.

Trusted companies

Customers can choose to add businesses to a whitelist of trusted beneficiaries maintained by their bank. These trusted companies will be exempt from SCA, regardless of the transaction amount, providing a smoother process for regular customers.

Recurring transactions

Recurring payments of a fixed amount will be exempt from SCA. Only the first instance of the payment will require additional security checks, and future payments will be taken automatically without authorisation. However, if the payment amount changes, SCA will be required for the new amount.

B2B transactions

Transactions between two businesses may be exempt from SCA. However, this only applies for transactions made using a payment tool specifically for B2B payments.

Why is Strong Customer Authentication important for your business?

While its main focus is to protect customers from fraudulent transactions, Strong Customer Authentication also offers lots of benefits for your business.

If your business processes payments within the EEA, UK or Monaco, SCA compliance is a legal requirement. Failing to comply puts your business at risk of being fined, while payment providers may have their payment licence revoked.

Maintain brand trust

Whatever industry you’re in, protecting your customers and their personal data should always be a priority. This is particularly important when it comes to payment information.

By offering secure payment methods, you demonstrate that you are reliable and that you care about your customers, which will help to encourage repeat business.

Streamline your checkout process

As well as adhering to regulatory standards, SCA helps you to provide a better experience for your customers. By partnering with a trusted third-party payment provider, you can offer customers a quick and efficient checkout and their preferred payment methods, boosting conversions.

Grow your business

The increased trust and customer loyalty gained by offering a safe, secure payment process is a great way to boost sales and grow your business. If you are looking to drive growth, offering an SCA-compliant payment method can help you attract new customers and increase sales.

Effortless Strong Customer Authentication with Mollie

However large or small your business, the team here at Mollie can help you to provide effortless payment processes that comply with SCA and PSD2 requirements and help you drive growth.

Easily accept multiple payment methods and offer your customers a streamlined checkout process that boosts conversions. On top of that, we offer a suite of powerful integrations to help improve what you do, expert support teams across Europe, and a Dashboard and app to help you manage your business on the go. You can access this with transparent pricing and no hidden fees or lock-in contracts. 

Get better payments now.