As of 14 September 2019, Strong Customer Authentication (SCA), new rules from European Union (EU) will start to apply that impact the way banks or payment services providers verify their customer identity and authenticate specific online payments. The SCA rules are intended to improve the security of payments and limit fraud during this process, by introducing two-factor authentication on electronic payments.
SCA is part of the EU’s high-profile and far-reaching, Second Payment Services Directive (PDS2); which requires banks to open their payment infrastructure and customer data assets to third parties, allowing the development of customer authentication systems.
The new rules will affect any applicable transaction for businesses whose payment service provider is located within the European Economic Area (EEA), and whose customer’s bank or card provider is also located within the EEA.
What transactions are affected by the Strong Customer Authentication?
Mainly, it will affect card payments made over the internet. Next year, all single electronic payments will need to pass two of the following authentication methods;
- Personal information: such as a password or information only the user knows.
- Possession: such as a mobile phone or something only the user possesses.
- Inherence: such as a fingerprint or other biometric element.
Why is SCA needed?
Payment fraud losses have been steadily increasing, with little sign of easing for almost a decade. This is why the European Commission has stepped in to implement SCA requirements on participants to reduce fraud. All e-commerce transactions are to be processed via secured, industry protocols such as 3D Secure, the UK has until 14 March 2021 to be fully compliant.
Did you know; almost five million people in the UK had money stolen from their bank or credit card account last year.
What is changing?
Additional authentication will begin to become the new default. All qualifying transactions, remote transactions (i.e. online shopping), and credit transfers will need to pass the two-factor authentication unless an exemption applies.
3D secure (3DS) will be used in 95% of transactions as the UK moves towards the March 2021 deadline. Payment service providers (PSP’s), namely issuers and acquirers, and their clients will be required to meet scheme mandates for 3DS 2.0 to be enabled.
Also, many businesses are concerned that Strong Customer Authentication could kill conversion rates, adding additional payment authentication can introduce barriers to the customer online journey during the payment process.
Exemptions to SCA
Several exemptions exist under the new rules, specific types of low-risk payments may be exempt from Strong Customer Authentication, and these include;
- Corporate payments
- Transactions below 30
- Trusted beneficiaries
- Merchant-initiated transactions
- Fixed recurring transactions and subscriptions
- Low risk transactions
While exemptions are very useful, it’s important to remember that it’s at the bank of the cardholders’ discretion whether or not to accept an exemption. Banks can now return new decline codes for payments that failed due to missing authentication and these payments have to then be resubmitted to the customer.