Skip to main content

Strong Customer Authentication (SCA) Explained

null

Strong customer authentication (SCA) aims to reduce the risk of fraud and is currently being implemented in the European Economic Area (EEA) and the UK. It applies to certain types of electronic payments, including online card payments and payments made through e-wallets. It does not apply to all electronic payments, and there are some exceptions and exemptions in certain circumstances.

What is Strong Customer Authentication? (SCA)

SCA are new requirements under the Payment Services Directive (PSD2) intended to further enhance the security of payments and limit fraud. It mandates that electronic payments are made using multi-factor authentication which are measures that confirm the identity of the cardholder when making a card payment.

Banks and payment service providers use authentication as a process to verify your identity. Authentication aims to ensure that the person requesting access to your account, or trying to make a payment, is either you or someone to whom you have given consent.

What elements constitute authentication?

There are three different types of authentication. In order to satisfy the requirements, two of the following three measures must be met and provided by the customer in order to complete their payment:

1. Knowledge — something only the customer knows, for example, a PIN, passphrase, or secret answer

2. Possession — something only the customer possesses’, such as their mobile phone or smartwatch

3. Inherence — something the customer is, for example, a fingerprint or facial recognition

SCA adds an extra layer of security when customers make a payment online. 

It’s worth noting that it's not always applicable. If a merchant is exempt, it may complete the authentication with one factor only or with the device data only.

When did Strong Customer Authentication come into force?

The original deadline for implementation was 14 September 2019. On 16 October 2019, the European Banking Authority (EBA) extended the deadline until 31 December 2020. 

The UK was working to a slightly different timeline. The enforcement date was extended until March in 2022 with the ramp-up to enforcement starting in November 2021. 

SCA is now enforced across Europe and the UK.

Why was SCA introduced?

The aim of SCA is to improve and bolster the security of online transactions and reduce fraud. The European Central Bank (ECB) recorded a 66% increase in card-not-present fraud between 2011-2016 so one of the aims of the authentication was to make it more difficult for fraud to be committed.

While SCA has been introduced in order to fight fraudulent transactions, there have been challenges—such as the need to balance increased security with maintaining a seamless and convenient payment process for consumers.

What countries does SCA apply to?

SCA is required where the merchant’s payment services provider and the customer’s bank or card provider are located in the European Economic Area (EEA) or the UK. If either is located outside this area, the payment services provider is required to use its ‘best efforts’ to apply Strong Customer Authentication.

Who pays if Strong Customer Authentication is ignored?

Payment providers and banks are the ones legally required to enforce Strong Customer Authentication, and so they will be liable for any fines. In extreme cases, their licenses could be revoked. But businesses that make online sales aren’t off the hook. Failure to comply with it will see more transactions declined, lost sales, and frustrated customers.

Does Strong Customer Authentication apply to all online transactions? 

Not all transactions have to have SCA applied to them under PSD2. Transactions that are considered to be low risk do not require authentication.

Businesses need to make use of exemptions in order to ensure the best possible experience for their customers. Thinking carefully about exemptions and applying them at the right times will help businesses create a winning SCA strategy. 

Find out more about exemptions in this follow-up article.

What’s the best way to implement Strong Customer Authentication?

The most common way of authenticating online transactions has been ‘3D Secure’. Visa created
the three-domain secure protocol in 1999, and launched it under the name ‘Verified by Visa’. Mastercard followed shortly after with ‘Mastercard SecureCode.

But, 3Ds1 is non-compliant as it does not support 2-factor authentication. It only supports one factor — either knowledge or possession. 

3D Secure 2 (3DS2) is a new and improved version. 3DS created a level of friction to the customer causing a relatively high number of abandonments, 3DS2 promises to minimize this friction and deliver a smoother, faster experience at the point of payment via a frictionless flow or a biometrics request. 

What does 3DS2 change?

As well as improving the payment experience for customers, 3DS2 — a collaboration between American Express, Discover, JCB, Mastercard, UnionPay and Visa — creates a standard across all e-commerce channels, which paves the way for global interoperability and devices that can be easily adopted by PSPs.

The main feature improvements of 3DS2 cover one-time passwords (OTP), biometric authentication such as fingerprints or facial recognition, and QR codes for mobile applications. But really, the big step-change is about the amount of data available to perform an authentication. 3DS2 protocol facilitates the exchange of over 100 data points between the merchant and the payer’s card issuer, to assess the probability that the transaction is genuine. This ‘risk-based authentication’ allows the card issuer to authenticate the payer without the need for additional information. Only when a transaction raises an alarm is the payer prompted for further verification.

How does 3DS2 impact chargebacks?

3DS2 authentication shifts liability away from the merchant but it also encourages merchants to be more diligent with fraud detection and share liability where the cardholder experience is more important than the liability shift.

It also offers a layer of protection for both merchants and issuers against the fraudulent use of accounts. PSPs and banks now guarantee merchants payment for certain successful online transactions that have been authenticated with 3DS2. More importantly, 3DS2 is an opportunity to share more data and help issuers with risk-based authentication provide better experiences at the checkout. 

How Checkout.com can help businesses with Strong Customer Authentication 

SCA has proven itself to be a useful tool when it comes to keeping fraud at bay. However, in order to fight fraud but keep your approval rates high, you need a partner that can offer you a flexible 3DS solution that will work across all your acquirers. Additionally, you need a partner that can help you build the right strategy for your unique business needs. 


Learn more about how Checkout.com can help you increase your approval rates and build the optimal customer experience and discover more about our authentication solution.