Introduction
The introduction of security protocols and procedures in online payment processing was a major step forward in payment security. However, as beneficial as they are for the protection of financial assets and payment information, these protocols started causing friction in the user experience (UX).
In 2019, the European Union launched the Revised Directive on Payment Services (PSD2) which includes a payment authentication method that involves less friction. This method is known as strong customer authentication.
Find out how strong customer authentication works and how to use it to prevent payment fraud.
What is Strong Customer Authentication (SCA)?
Strong customer authentication (SCA) is a requirement introduced with the Revised Directive on Payment Services that imposes the use of multi-factor authentication on financial institutions in the European Economic Area.
Multi-factor authentication aims to ensure that only the true cardholder can use their credit or debit card.
Strong authentication requires cardholders to verify their identity by providing two of the following three identifiers:
- Something they own (a mobile phone or ID token).
- Something they know (PIN, password, scheme).
- Something that is part of them (fingerprint or facial recognition).
When Is Strong Customer Authentication Used?
Strong customer authentication is used in the following three situations:
- Accessing an online payment account (the login process on a bank’s website or mobile application).
- Initiating a payment (face-to-face or online payments, also known as card-not-present transactions).
- Using a remote channel to perform actions that are considered a payment fraud risk (saving payment information on a website or in an app).
How to Achieve and Maintain SCA Compliance?
To become SCA compliant, businesses must:
- Check whether SCA applies to them. SCA is applicable when the business’s and a customer’s banks are based in the European Economic Area.
- Determine whether their business model and transactions require SCA.
- Ensure their integration supports 3DS.
To maintain SCA compliance, businesses must keep up with any changes in or newer versions of the Payment Service Directive and communicate with their payment service providers.
SCA Timeline
Strong customer authentication was to be in full effect by January 1st, 2021. However, due to the pandemic, the number of ecommerce transactions under SCA rose dramatically. That made legislators postpone the enforcement of SCA further into 2021.
- PSD released in 2007.
- European Central Bank (ECB) issues recommendations on internet payment security on the 31st of January 2013, resulting in three solutions which would later evolve into strong customer authentication.
- PSD2 release and introduction of strong customer authentication on September 14th, 2019.
- Readiness for businesses to support SCA expected by 31st of December, 2020.
- European Banking Authority mandates full SCA enforcement by January 1st, 2021.
- Full enforcement of SCA in the Netherlands in January 2021.
- Full enforcement of SCA in Germany in March 2021.
- Full enforcement of SCA in Italy, France, and Belgium in April 2021.
- The beginning of gradual enforcement of SCA in the UK in June 2021.
- Full enforcement of SCA in Ireland in July 2021.
- Full enforcement of SCA in Switzerland in September 2021.
- Full enforcement of SCA in the UK expected by March 14th, 2022.
SCA Exemptions
Strong customer authentication is not required from customers in the following cases:
- Low-risk transactions.
- Card-not-present-transactions below €30.
- Fixed-amount subscriptions.
- Merchant-initiated transactions.
- Phone or mail sales.
- Trusted beneficiaries.
- One leg out payments.
- Corporate payments.
Note: These exceptions apply to payment processors. Banks are allowed to enforce SCA even when conditions for an exemption are met.
Merchants should be aware that if they ask for an exemption, they are held liable if the transaction turns out to be fraudulent.
Low-Risk Transactions
Financial institutions, such as banks and payment providers, can exempt a transaction from strong customer authentication if their fraud rates comply with the following conditions:
- Under 0.13% to exempt transactions below €100.
- Under 0.06% to exempt transactions below €250.
- Under 0.01% to exempt transactions below €500.
Note: Amounts are converted to local currency when applicable.
During a transaction, the person requesting the transaction (the cardholder) is faced with two financial institutions: the payment processor and their bank (the card issuer). SCA exemption is not applicable if one of those two financial institutions has a higher fraud rate than allowed.
As an additional security measure, financial institutions are allowed to perform risk analysis to further determine whether SCA should be applied to a transaction.
Card-not-Present Transactions Below €30
Card-not-present transactions below €30 are considered low value and are typically exempt from SCA. However, some exceptions apply.
Banks may apply SCA if, within 24 hours, a customer uses this exemption more than five times. The cardholder must undergo SCA if the sum of their previously exempt payments exceeds €100.
Fixed-Amount Subscriptions
Fixed-amount subscriptions are considered safe because they are recurring payments of a preauthorized amount from one person to the same business.
It is standard practice for financial institutions to require SCA for the initial payment in subscription processing.
Merchant-Initiated Transactions
Card-not-present transactions using stored payment data and initiated by a merchant do not require SCA. However, SCA must be applied while the card information is being saved or while initiating the first transaction.
Note: Merchants cannot initiate transactions until they get written permission from the cardholder, also called a mandate.
Despite a transaction being marked as merchant-initiated, banks have the final say in whether SCA is applied.
Phone or Mail Sales
Card data collected for mail orders and telephone orders (MOTO) is outside the scope of SCA and does not need to be authenticated.
Despite the eligibility for SCA exemption, banks still make the final decision regarding whether to impose strong customer authentication.
Trusted Beneficiaries
The list of trusted beneficiaries is a list of companies or individuals trusted by a bank’s customer. Transactions between a customer and trusted beneficiary are exempt from SCA.
However, the customer must undergo SCA before they add an individual or legal entity to the list.
One Leg Out (OLO) Payments
One leg out (OLO) payments are transactions where either a business’s bank or a customer’s bank is based outside the European Economic Area or the UK. OLO payments are out of scope for SCA.
Corporate Payments
Corporate payments are exempt from SCA when:
- The corporate card is held directly with an online travel agent.
- Payments are made with virtual card numbers.
This exemption is not used as frequently as others because of its very narrow scope (business travel).
SCA Exemptions and Card Issuers
The following table shows major card issuers in Europe and the SCA exceptions they offer by default. Bear in mind that banks may enforce SCA even if the card network doesn’t.
Low-Value Payment | Transaction Risk Assessment | Secure Corporate Payment | Trusted Merchant List | |
Visa | ✔ | ✔ | ✔ | ✔ |
Mastercard | ✔ | ✔ | ✔ | ✖ |
American Express | ✖ | ✖ | ✔ | ✔* |
Diners Club (DCI) | ✔ | ✔ | ✔ | ✖ |
Cartes Bancaires | ✔ | ✖ | ✔ | ✖ |
* American Express has a predefined list of trusted merchants users can modify.
Conclusion
People would not get the opportunity to enjoy the convenience of online payments if it were not for the security measures in place.
Use the information provided in this guide to provide maximum payment security for your customers.