What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a new European regulatory requirement to authenticate online payments by at least two of the following three elements:
- A password or PIN
- A phone or hardware token
- A fingerprint or face recognition
The SCA requirement is to help reduce fraud and make online payments more secure. For online card payments, these requirements will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). It is expected that SCA regulation will be enforced in the UK, regardless of the outcome of Brexit.
When is SCA required?
Banks will start declining payments that require SCA and don’t meet these criteria. An announcement earlier this month from the Financial Conduct Authority advised of an 18-month phase-in period to give UK businesses more time to prepare. Although this phased approach varies across Europe, we do not expect banks to fully require SCA for payments from UK cards until March 2021.
How to authenticate a payment?
The most common way of authenticating an online card payment relies on 3D Secure—an authentication standard supported by the vast majority of European cards. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment
To handle online payments once SCA comes into effect, you will need to build additional authentication into your checkout journey.
Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for businesses to offer a frictionless checkout experience while meeting the new requirements.
Under the new regulation, certain types of ‘low-risk’ payments may be exempt from SCA. Using payment providers such as Stripe will allow real-time requests to be made for these exemptions. The cardholder’s bank will receive the request, assess the risk level of the transaction and approve or deny this request. The ‘deny’ will result in authentication being required by the customer.
Do you have further questions or are unsure of how this affects your website? Talk to Rob, our Digital Director, on firstname.lastname@example.org or 01604 774860.