If your business accepts card payments, you’ve probably heard about the new strong customer authentication requirements, or SCA. But what exactly is happening, why and when? And most importantly, what does it mean for your business? We explain all.

The new requirements for strong customer authentication are coming into force from 31 December 2020 in Europe. And from 14 September 2021 in the UK.

They’re part of a raft of European regulations known as the revised payment services directive, or PSD2 for short. The regulation is being driven by changing shopping habits, technology and opportunities.

EMV chip and PIN has been very successful in reducing card fraud. But, much like squeezing the air in a balloon, fraud has moved from in-store to remote channels.

At the same time, consumers are shopping more online. 71% of internet users in the EU shopped online in 2019. And 35% of online shoppers bought from sellers in other EU countries, compared to 2% in 20141.

Regulators hope that the new requirements will make people more confident to trade online, protect consumers as well as boost competition and security in EEA.


What is authentication?

Authentication is often confused with authorisation. Authentication is the process of confirming the identity of a user. So when someone logs onto a computer with their username and password, validating these credentials is authentication.

Authorisation is the process of confirming the user’s rights and privileges. So in our computer example, it’s checking that someone has access to various systems to perform specific tasks.

Strong customer authentication is also known as multi-factor authentication. That’s because it comprises two or more factors: something a customer knows (e.g. a PIN or password), something they have (e.g. a device or token) or something they are (e.g. a fingerprint or iris scan). You may hear these factors referred to as knowledge, possession and inherence.

The new SCA requirement mandates two independent factors from different categories, so if one is compromised, it doesn’t compromise the others.


Who is impacted?

The changes will impact everyone in EEA and the UK: consumers, businesses that accept electronic payments, and those who provide banking and payment services.

Strong customer authentication applies to every electronic transaction, such as logging on to online banking or buying something on the web. There are some exceptions which we’ll explain below. But in the main, if your business sells to customers in EEA or the UK and you accept cards, the regulations apply to you.

It’s not a matter of whether or not there’s a specific fraud problem in your market. Or whether your business is willing to take the risk of the sale. The regulation applies to banks and payment service providers in Europe and the UK. From from 31 December 2020 (and 14 September 2021 in the UK) regulated firms will be enforcing the requirements.


What are the exceptions to the SCA rule?

Around 45% of all remote transactions are out of scope for SCA, according to a recent Visa estimate. Naturally, this varies by merchant sector and business model.

The four main types of transaction out of scope for strong customer authentication are:

  1. Mail order/telephone order (MOTO) transactions
  2. One-leg-out transactions when either the card issuer or card acquirer are outside Europe or the UK
  3. Anonymous transactions, for example anonymous prepaid gift cards
  4. Merchant-initiated transactions, for example recurring payments, delayed charges, no-shows

Other transactions are out of scope, such as contactless, low-value payments, transit and parking, and secure corporate payments. But the four main types are listed above.

Importantly, out-of-scope transactions are not identified automatically. Merchants and payment service providers must flag them accordingly, so issuers can recognise them.

In some circumstances, SCA may be required for the first transaction when the customer agrees to the terms for subsequent merchant-initiated transactions, such as in the case of recurring payments. Thereafter, providing subsequent transactions are correctly coded and flagged as out of scope MITs, issuers must not decline them.


What are the next steps?

As we enter the final quarter of 2020, European issuers are beginning to test their SCA policies and procedures. Issuers will be ‘soft declining’ transactions, basically asking for strong customer authentication. For card payments, this means using the 3D-Secure (3DS) protocol and asking for a step-up authentication from the customer.

You are advised to assess the impact of SCA on your business model, customer journeys and processes. Make sure you are operating at the highest version of 3DS and that your risk engine is working optimally.

Flag out-of-scope transactions and populate message fields correctly. Check back soon as we will publish a blog dedicated to merchant-initiated transactions.


What support is available?

PXP Financial’s ANYpay gateway already supports both 3DS 1.0 and 2.0 and is certified with the main international card schemes to that end. This means we can automatically use the 3DS version supported by the customer’s issuer.

We have also devised strong customer authentication policies for processing online payments to suit all merchants, sectors and geographies. For more information on the policies, please visit https://developer.pxp-solutions.com/reference#sca-policy.

Our ANYpay online developer hub also contains various integration guides, API references, examples and test scripts and is publicly available at https://developer.pxp-solutions.com.

If you cannot find a solution for your particular sector or use case, contact us. We may be able to help, plus work with business partners to deliver solutions.

1 E-commerce statistics for individuals, eurostat, January 2020, https://ec.europa.eu/eurostat/statistics-explained/index.php/E-commerce_statistics_for_individuals#E-shopping:_biggest_increase_among_young_internet_users