password white bg
What Is A Strong Password – Guide 2023
18th October 2019
scams
How To Protect Against Brute Force Attacks?
28th November 2019
Show all

What is SCA (Strong Customer Authentication) and PSD2?

SCA
 

What Is SCA?

SCA first came into being in September 2019* as a response to the European Second Payment Services Directive (PSD2). These plans detail a list of requirements that banks and building societies and certain firms must abide by – chief of these being that providers must respond to certain kinds of complaints within a fifteen day window, helping to improve issue resolution problems that have plagued the industry to close to a decade.

* You’ll find a full explanation of the timeline of SCA later in this article.

The other part of this process involves the deployment of SCA – forcing businesses that sell goods and services online to build additional validation steps into their ecommerce checkout pipeline. In simple terms, this means adding three key elements:

 
 
An element the customer ‘knows’: This can be a unique password, pin, or phrase.
An element the customer ‘has’: This can be a smartphone, registered and trusted device, or a unique token.
Something that the customer ‘is’: This can be a unique physical identifier such as a fingerprint, or eye or face recognition.
 

When the changes required by PSD2 are formally enforced by the deadline of December 2020, banks will be required to decline any* payments that don’t involve these three elements as formal validation.

 

* There are some exemptions to this, more on that in a moment.

 
 
 
 

As it currently stands, SCA will only apply to any payments that are delivered online in the Eurozone. Broadly speaking, this means it will affect any individual making an online payment from an EU country to another EU country.

As it stands, some companies have already gotten ahead of the curve and used secure payments such as Visa’s ‘Verified by’ initiative or Mastercard’s long-running ‘Identity Check’ program.

This does offload a little bit of extra responsibility to customers who will now be increasingly required to deploy biometrics when making payments or deploy recognised tokens. This will commonly involve validating your personal phone number with your bank or agreeing to use your fingerprint data as a passkey – something that more data savvy citizens could be apprehensive about.

However, when it comes to ‘worrying’, what customers face is a mild inconvenience compared to the comprehensive work some businesses will be required to undertake. This will involve fundamentally changing their checkout processes, embedding an extra layer of security, and sufficiently road-testing it before they fully implement SCA.

If not tested correctly, this can derail a customer’s user journey and result in comprehensive revenue loss – placing your bottom line at risk and losing any goodwill you may have built with your user base.

However, SCA also offers a fantastic way to provide peace of mind to customers, ensuring that their online interaction with the vendor is secure. And, given the importance of keeping the customer journey as seamless as possible, it’s likely that the best providers will make the process near invisible to avoid disruption.

With mobile banking and the continued rise of ecommerce across many industries making online transactions increasingly commonplace, getting ahead of the curve is arguable more important than ever before.

Our guide on Customer Identity Access Management (CIAM) can be incredibly useful to you, as it discusses the means to create and manage online identities securely.

 

When does SCA go into effect?

 
 
 
 

SCA will be fully enforced in December 2020. However, it has been a requirement of the PSD2 since September 2019.

 

You might ask, what does this mean?

 

There has been some confusion about the timeline and for good reason.

 

Originally, the plan was to have SCA fully in place in September 2019. However, in June 2019 the European Banking Authority (RBA) accepted that on exceptional basis and to avoid unintended negative consequences, there would be a temporary delay in the implementation of SCA.

 

In October 2019, the RBA announced that SCA will be fully enforced on December 31st 2020, following concerns of the preparedness and compliance of some actors in the payments chain.

 

In practice, this means that at the time of the writing of this article (October 2019), not many banks have started declining non-authenticated payments, but they will start doing so on December 31st 2020 at the latest.

 

To put it in another way, SCA has been required by the PSD2 since September 2019, but it will not be fully enforced until the end of 2020.

 

In addition to the RBA’s announcements, the local regulators in Denmark, France and the United Kingdom have granted longer 18-month delays to the enforcement of SCA, and it is unclear whether there will be further delays in those countries.

 

Exemptions to SCA (Strong Customer Authentication)

 
 
 
 

When it comes to who is affected by SCA, it is important to be aware of what payments are exempt from additional validation.

These are generally classed as ‘low risk’ payments and certain providers will be able to process these without having to look for additional validation – leaving it to the discretion of the bank to decide whether SCA authentication is required.

Types of transactions that are exempt include:

Corporate Transactions

These are generally made with a pre-approved or ‘lodged’ card. These are most commonly used for travel expenses for a range of users and, resultingly, will not require validation.

 

Low Risk Transactions

Arguably the most common exemption, this is defined as a transaction that falls below a bank or carrier’s thresholds for fraud. This does create a situation where a payment provider’s rate is beneath the required threshold, but it is above the cardholder’s bank – resulting in a cancelled payment.

 

‘Merchant Initiated’ Transactions

Used for businesses that traffic in ‘delayed payments’, these are outside of the remit of SCA as the card is authenticated when the first payment is made. Once a mandate is provided by the cardholder, the merchant can continue to charge subscriptions or pre-agreed billing.

 

Small Payments

Any payment or transaction below 30€ will generally be exempt from SCA. This will be limited if the card is used a number of times since the last on-record authentication or if the payment total within the previous window totals more than 100€.

 

Standing Subscriptions

Ongoing subscription payments will bypass SCA provided that the first payment is fully authenticated and that the subscription payments do not increase or change. If subscriptions do change, the customer will be required to validate the change or provide consent.

 

Telephone Sales

Some providers will allow for the creation of trusted entities or – as with platforms such as PayPal – designate a small payment to a ‘trusted’ individual. Once added to the system, the user will be placed on a list of trusted bodies and not run into issues when making future payments.

 

How Can 10Duke Help?

SCA compliance is a necessity for any modern business that is transacting online.

Regardless of who you choose to use to accept online payments, if you’re using the 10Duke Identity Provider as your customer identity management solution, it can help to ensure you comply with your obligations under SCA.

10Duke Identity Provider works no matter who your provider is, Stripe, Adyen, Braintree, or PayPal.

Supporting a variety of incremental authentication triggers that can help to confirm a users decision to initiate an online payment or further protect access to sensitive data or features within an application, the 10Duke Identity Provider allows you to tailor those aspects of your customer journey that require enhanced authentication, such as that mandated by PSD2.

If you want to take the pain out of your SCA compliance, read about 10Duke Enterprise. Additionally, If you want to get in touch and discuss a light-touch bespoke solution for your business, please do not hesitate to contact us and let us know how we can help.

 
 
 
10th May 2023

5 Reasons Why Web Applications Need a Software Licensing Engine

Dedicated licensing engine provides significant value and helps overcome complexity. In this blog we explain the complexity and how to solve it.
7th October 2022

How Centralized Software License Management Will Increase Your Revenue

License management is typically looked at simply as a cost of doing business. When done correctly, license management can be an engine of revenue growth, removing […]
18th August 2022

Cloud-based Software Licensing | The Modern Way

Every kid coming out of Harvard, every kid coming out of school now thinks he can be the next Mark Zuckerberg, and with these new technologies […]
11th April 2022

Software Licensing System – The Build vs. Buy Conundrum

To build or buy a licensing system – the huge question all growing software vendors will face. This blog will help you make an informed decision.
13th December 2021

Licensing As a Service – Why It’s the Modern Way of Software Licensing

Licensing as a Service, a new method of software licensing, offers flexible and effective means of monetizing software products quickly and easily.
20th August 2021

10Duke 101 – Understanding the Basics of 10Duke Licensing

A brief introduction to 10Duke’s Licensing Solution. We will go through its main concepts and how to integrate with 10Duke, including delegation of authentication, product configuration […]
12th May 2021

Software Activation – The Good, The Bad and the Modern

Software Activation is a technology that verifies a software product has been legitimately licensed for use. Learn how to do it effectively.
29th March 2021

Is Sharing Really Caring? Not If It’s Your Password

Password sharing may seem harmless, but it actually puts your business, employees and customers at risk. Find out why what you can do to prevent it.
18th February 2021

Software IP Protection – How to Protect Software Intellectual Property?

Software IP protection strategy is not just about limiting access. The best IP protection software also aims to enhance customer experience.

SCA first came into being in September 2019* as a response to the European Second Payment Services Directive (PSD2). These plans detail a list of requirements that banks and building societies and certain firms must abide by – chief of these being that providers must respond to certain kinds of complaints within a fifteen day window, helping to improve issue resolution problems that have plagued the industry to close to a decade.