The new standard for safe authentication of online payments, Strong Customer Authentication (or SCA) is a newly enacted tool to help counteract fraud on certain types of payments.
SCA first came into being in September 2019* as a response to the European Second Payment Services Directive (PSD2). These plans detail a list of requirements that banks and building societies and certain firms must abide by – chief of these being that providers must respond to certain kinds of complaints within a fifteen day window, helping to improve issue resolution problems that have plagued the industry to close to a decade.
* You’ll find a full explanation of the timeline of SCA later in this article.
The other part of this process involves the deployment of SCA – forcing businesses that sell goods and services online to build additional validation steps into their ecommerce checkout pipeline. In simple terms, this means adding three key elements:
When the changes required by PSD2 are formally enforced by the deadline of December 2020, banks will be required to decline any* payments that don’t involve these three elements as formal validation.
* There are some exemptions to this, more on that in a moment.
As it currently stands, SCA will only apply to any payments that are delivered online in the Eurozone. Broadly speaking, this means it will affect any individual making an online payment from an EU country to another EU country.
As it stands, some companies have already gotten ahead of the curve and used secure payments such as Visa’s ‘Verified by’ initiative or Mastercard’s long-running ‘Identity Check’ program.
This does offload a little bit of extra responsibility to customers who will now be increasingly required to deploy biometrics when making payments or deploy recognised tokens. This will commonly involve validating your personal phone number with your bank or agreeing to use your fingerprint data as a passkey – something that more data savvy citizens could be apprehensive about.
However, when it comes to ‘worrying’, what customers face is a mild inconvenience compared to the comprehensive work some businesses will be required to undertake. This will involve fundamentally changing their checkout processes, embedding an extra layer of security, and sufficiently road-testing it before they fully implement SCA.
If not tested correctly, this can derail a customer’s user journey and result in comprehensive revenue loss – placing your bottom line at risk and losing any goodwill you may have built with your user base.
However, SCA also offers a fantastic way to provide peace of mind to customers, ensuring that their online interaction with the vendor is secure. And, given the importance of keeping the customer journey as seamless as possible, it’s likely that the best providers will make the process near invisible to avoid disruption.
With mobile banking and the continued rise of ecommerce across many industries making online transactions increasingly commonplace, getting ahead of the curve is arguable more important than ever before.
SCA will be fully enforced in December 2020. However, it has been a requirement of the PSD2 since September 2019.
You might ask, what does this mean?
There has been some confusion about the timeline and for good reason.
Originally, the plan was to have SCA fully in place in September 2019. However, in June 2019 the European Banking Authority (RBA) accepted that on exceptional basis and to avoid unintended negative consequences, there would be a temporary delay in the implementation of SCA.
In October 2019, the RBA announced that SCA will be fully enforced on December 31st 2020, following concerns of the preparedness and compliance of some actors in the payments chain.
In practice, this means that at the time of the writing of this article (October 2019), not many banks have started declining non-authenticated payments, but they will start doing so on December 31st 2020 at the latest.
To put it in another way, SCA has been required by the PSD2 since September 2019, but it will not be fully enforced until the end of 2020.
In addition to the RBA’s announcements, the local regulators in Denmark, France and the United Kingdom have granted longer 18-month delays to the enforcement of SCA, and it is unclear whether there will be further delays in those countries.
When it comes to who is affected by SCA, it is important to be aware of what payments are exempt from additional validation.
These are generally classed as ‘low risk’ payments and certain providers will be able to process these without having to look for additional validation – leaving it to the discretion of the bank to decide whether SCA authentication is required.
Types of transactions that are exempt include:
These are generally made with a pre-approved or ‘lodged’ card. These are most commonly used for travel expenses for a range of users and, resultingly, will not require validation.
Arguably the most common exemption, this is defined as a transaction that falls below a bank or carrier’s thresholds for fraud. This does create a situation where a payment provider’s rate is beneath the required threshold, but it is above the cardholder’s bank – resulting in a cancelled payment.
Used for businesses that traffic in ‘delayed payments’, these are outside of the remit of SCA as the card is authenticated when the first payment is made. Once a mandate is provided by the cardholder, the merchant can continue to charge subscriptions or pre-agreed billing.
Any payment or transaction below 30€ will generally be exempt from SCA. This will be limited if the card is used a number of times since the last on-record authentication or if the payment total within the previous window totals more than 100€.
Ongoing subscription payments will bypass SCA provided that the first payment is fully authenticated and that the subscription payments do not increase or change. If subscriptions do change, the customer will be required to validate the change or provide consent.
Some providers will allow for the creation of trusted entities or – as with platforms such as PayPal – designate a small payment to a ‘trusted’ individual. Once added to the system, the user will be placed on a list of trusted bodies and not run into issues when making future payments.
SCA compliance is a necessity for any modern business that is transacting online.
Regardless of who you choose to use to accept online payments, if you’re using the 10Duke Identity Provider as your customer identity management solution, it can help to ensure you comply with your obligations under SCA.
Supporting a variety of incremental authentication triggers that can help to confirm a users decision to initiate an online payment or further protect access to sensitive data or features within an application, the 10Duke Identity Provider allows you to tailor those aspects of your customer journey that require enhanced authentication, such as that mandated by PSD2.