Wednesday, 01 Jun, 2022
Follow PayCEC - global payment gateway to get updates on the latest payment trends and ecommerce news
In this article, we will discuss everything you need to know about SCA Strong Customer Authentication and SCA regulation. We will cover what SCA exactly is, which transactions are exempt or out of scope, and how SCA applies to your business, together with how can PayCEC payment gateway help you meet the SCA compliant requirements? Let’s get started by asking if you understand what SCA Strong Customer Authentication is.
What is SCA Strong Customer Authentication?
SCA Strong Customer Authentication is a European regulatory requirement under PSD2, designed to protect the confidentiality of the authentication data and make SCA online payments more secure.
With SCA Strong Customer Authentication, there are more ways to authenticate shoppers than the traditional ‘something they know’ (like a password). You can now combine other data points, as long as they are from at least 2 different categories.
Combining a fingerprint and a one time authentication code for SCA secure.
Your customers may need to provide two forms of identification to their bank when shopping from your e-commerce store. This applies for Strong Customer Authentication face-to-face payments from September 15, 2021 in the UK, and from January 1, 2021 in most of the EEA for e-commerce. If your customer cannot be identified using two factors, their payments to you might be considered non-SCA compliant and be declined.
Your bank or the payment service provider company that provides the checkout service for your website will be able to “switch on” the technology required to perform the checks required by the Strong Customer Authentication regulation.
Strong Customer Authentication applies to most face-to-face transactions, which are the oldest form of doing business. Chip & PIN transactions are SCA compliant, but sometimes your customers may be prompted to enter their PIN when making contactless payments.
Customers have more confidence and feel more secure with great service and more payment options. Taking card payment at your sales outlet is a face to face transaction. The customer pays using the Chip & PIN terminal.
For example, the MasterCard Biometric Cardcombines chip technology with fingerprints to conveniently and safely verify the cardholder’s identity for in-store purchases. An embedded sensor that’s powered by the chip, authenticates identity through a fingerprint, and can be used at EMV terminals worldwide.
Another example is the e-wallet which is a protected digital account based in a mobile app, where you can store and access your money. It offers a great alternative to your typical banking account. Using an e-wallet allows you to keep your funds in one designated place and removes the need to carry cash or a wallet. As you enter the PIN shown on your voucher receipt given in store at time of purchase, your account will be credited immediately allowing you to make seamless, effortless online and offline payments.
Transfer of funds to the payee, would be subject to SCA Strong Customer Authentication by the wallet provider (unless an exemption applies). This would significantly simplify the consumer experience and avoid customer confusion, who would avoid having to go through two separate authentication processes within such a short timeframe for the same transaction.
On September 14, 2019, SCA Strong Customer Authentication became a requirement for businesses processing SCA online payments in Europe.
Your customers may be asked to verify their identity with two factors during the checkout process. A technology called 3D Secure can help you meet this SCA online payments requirement. The latest version of this technology (called EMV 3DS) will provide your customers with the most convenient experience as they go through this process, reducing the likelihood that any additional steps will be required by your customer, and removing friction from the purchase process. This version of the technology is also more suited for use on mobile devices.
In order to support these SCA online payments, you might need to integrate PayCEC’s virtual terminal payment gateway .
Please contact PayCEC for further information to ensure you are ready to meet the new requirements for SCA online payments from September 15, 2021.
The SCA requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Shoppers need to complete extra levels of authentication when they pay online. These levels of Strong Customer Authentication involve asking customers for 2 of the 3 factors in Table 1:
The SCA requirement increases the security of electronic payments.
Factors | Examples |
KNOWLEDGE Something only the payer knows. |
Password, PIN, Secret fact, etc. |
POSSESSION Something only the payer owns. |
Cellphone, Wearable device, Smart card, Token, etc. |
INHERENCE Something the payer is. |
Biometric (Fingerprint, Facial features, Voice patterns, Iris recognition, etc). |
Table 1
Each of the two factors must be from a different category and must be independent, such that the breach of one does not compromise the reliability of the other.
- Strong Customer Authentication solution requires the authentication of a payer based on the use of two or more elements categorized as:
PSPs (Payment Service Providers) are required to have effective transaction monitoring mechanisms in place, to detect unauthorized or fraudulent payment transactions.
The countries in Table 2 represent those participating in the European Economic Area, and therefore subject to SCA regulation.
Australia | Germany | Malta |
Belgium | Greece | Netherlands |
Bulgaria | Hungary | Norway |
Croatia | Iceland | Poland |
Cyprus | Ireland | Portugal |
Czech Republic | Italy | Romania |
Denmark | Latvia | Slovakia |
Estonia | Lichtenstein | Slovenia |
Finland | Lithuania | Spain |
France | Luxembourg | Sweden |
Table 2
While the UK is no longer in the EEA (European Economic Area), equivalent SCA requirements apply in the UK, and will be enforced for e-commerce from September 14, 2021.
Although not part of the European Economic Area (EEA), based on local law, Strong Customer Authentication may apply to transactions in regions that are associated with countries within the EEA. Examples include micro-states and city-states in Europe, along with territories of EEA countries outside of Europe. Clients in those regions should contact their local regulator to determine if Strong Customer Authentication solution applies, and how to comply with SCA regulation to optimize their performance of Strong Customer Authentication.
Implementing Strong Customer Authentication differs depending on the payment method. For credit and debit cards, 3D Secure is usually applied. E-wallets and other local payment methods often provide their own SCA compliant authentication step.
The protocol 3D Secure provides an extra layer of authentication to verify the customer’s identity. It's supported by most European debit and credit card companies. Once the customer completes the Strong Customer Authentication step, the issuing bank, not the business, becomes liable for any fraudulent chargebacks.
3D Secure 2 (3DS2) provides a more user-friendly experience than 3D Secure 1 (3DS1). Each version is SCA compliant, but we recommend that you support both 3D Secure 1 and 3D Secure 2.
Apart from 3D Secure, you can also make sure you meet SCA requirements with local payment methods and mobile wallets. These have the added advantage of increasing conversion rates in certain markets and use cases. International e-wallets like Apple Pay and Google Pay™ also provide checkout flows that meet the new SCA requirements.
Ensure that local payment methods and mobile wallets meet SCA requirements.
According to MasterCard , fewer than 5% of merchants use technology that supports Strong Customer Authentication, and over 75% don’t know what the SCA requirements are. Whether you’re ready or not, any non-SCA compliant transactions, after the September 14, 2021 deadline, will be declined by the cardholder’s bank. This could prove extremely costly for your business. Especially if the majority or all of your income comes through online payments.
The FCA has stated that: "After September 14, 2021, any firm that fails to comply with the SCA requirements will be subject to full FCA supervisory and enforcement action".
However, rather than seeing this as a risk to your business, it could be an opportunity. Being proactive now, and ensuring you’re ready for Strong Customer Authentication, could help you stay ahead of your less organized competitors.
The good news is that PayCEC’s SCA compliant payment gateway is established for merchants who want to make changes to become SCA-ready. PayCEC’s SCA compliant payment gateway is a great option with strong compliance features built into it to better protect you and your customer’s sensitive data. Why not discover how our PayCEC’s SCA compliant payment gateway could help safeguard the business you’ve worked so hard to build up.
There are some e-commerce transactions which are out of scope of the SCA regulation and others that may be exempt (no Strong Customer Authentication required).
Strong Customer Authentication exemptions are defined based on the level of risk, amount, recurrence, and the payment channel used for the execution of the payment. These Strong Customer Authentication exemptions allow PSPs to achieve the right balance between convenience of the payment experience and fraud reduction.
The Strong Customer Authentication exemptions are available only to PSPs. The Strong Customer Authentication exemptions are not available to merchants, unregulated payment gateways, or other unregulated entities.
Your bank/checkout provider may also be able to help you “flag” the payments that don’t require Strong Customer Authentication. This adds a certain code so that some payments can pass through without the need for extra checks. By correctly identifying out of scope transactions and applying exemptions (no Strong Customer Authentication required), merchants and issuers can minimize friction, and reserve Strong Customer Authentication for when it is needed.
SCA Secure Customer Authentication impacts the entire chain of payment, and SCA online payment is clearly the most complex SCA Secure Customer Authentication process. By setting up PayCEC’s SCA compliant payment gateway, you not only benefit your business through ensuring SCA compliant requirements and accept more SCA online payments, but also benefit from your customers through increasing their trust and confidence, as well as delivering a frictionless purchasing experience, even when SCA Secure Customer Authentication is required.
SCA Secure Customer Authentication impacts the entire chain of payment.
Merchants should work with their acquirers to develop Strong Customer Authentication exemption strategies that respond to their business needs. To learn more about transactions that are either out of scope or exempt from Strong Customer Authentication, please contact PayCEC Relationship Manager for details.
The key Strong Customer Authentication exemptions are listed in Table 3, and one only may be applied for each transaction by either the issuer/acquirer.
Strong Customer Authentication Exemption | Description |
---|---|
Contactless payments at POS | Strong Customer Authentication is not required subject to transaction value and velocity conditions. |
Unattended transport and parking terminals | Unattended terminals for transport fares (e.g: at transport gates) and parking fees. |
Trusted beneficiaries | The payer may add a trusted merchant to a list of trusted beneficiaries held by their issuer, completing an Strong Customer Authentication challenge in the process, to prevent further Strong Customer Authentication application on subsequent transactions with the trusted merchant. |
Recurring transactions | Applies to a series of transactions of the same amount made to the same payee. |
Low value transactions | Remote transactions less than €30 do not need SCA requirements so long as velocity limits are met. |
Secure corporate payments | Payments made through dedicated corporate processes and protocols (e.g: lodge cards, central travel accounts, and virtual cards). |
Transaction Risk Analysis (TRA) | Strong Customer Authentication is not mandated where a PSP, having in place effective risk analysis tools, assesses that the fraud risk associated with a remote payment transaction is low (when the requirements are met). The issuer has the ultimate say on whether Strong Customer Authentication needs to apply. |
Table 3
The payment card transactions listed in Table 4 are considered to be out of scope of the SCA Strong Customer Authentication mandate.
Transaction Type | Description |
---|---|
Payee or Merchant Initiated Transactions |
A transaction, or series of transactions, of a fixed or variable amount and fixed or variable interval governed by an agreement between the cardholder and merchant that, once agreed, allows the merchant to initiate subsequent payments without any direct involvement of the cardholder. Where the initial mandate is set up through a remote electronic channel, Strong Customer Authentication is recommended if there is a risk of fraud but should not be necessary for subsequent payments initiated by the merchant. Applies to all payment instruments including cards. |
MOTO | Mail Order/Telephone Order transactions are not considered to be ‘electronic’ payments, so are out of the scope. |
One leg out | A transaction where either the issuer/acquirer is located outside the EEA |
Anonymous transactions | Transactions through anonymous payment instruments are not subject to the Strong Customer Authentication mandate. |
Table 4
While the list of Strong Customer Authentication exemptions is now quite clear, the end customer’s bank will ultimately decide whether an exemption is valid. If a Strong Customer Authentication exemption is not granted, the payment will trigger a decline code. The payment will need to be resubmitted and authorized using Strong Customer Authentication protocols.
Strong Customer Authentication exemptions keep the customer journey frictionless.
Visa is actively monitoring the Strong Customer Authentication performance of the ecosystem, and engaging with participants where needed to help them to find Strong Customer Authentication solutions that allow customers to continue to make seamless payments. Therefore, in February 2020, Visa had launched its EMV 3DS, which is an industry standard protocol adopted by all major card schemes and serves as the mechanism for cardholder authentication at the time of an e-commerce purchase.
Visa strongly recommends that participants in the remote payments ecosystem adopt EMV 3DS for authenticating cardholders and as a means to apply SCA Strong Customer Authentication. This supports businesses in tracking and improving their Strong Customer Authentication performance, as well as reducing cart abandonment rates, and delivering a high quality, low-friction UX to create an optimal user experience.
Biometrics are the simplest and safest way to apply Strong Customer Authentication. They minimize checkout friction and many customers are familiar with them and find them attractive. Visa’s EMV 3DS enables biometric authentication, for example via a mobile banking app to provide an inherence factor. While knowledge factors are compliant from a regulatory perspective, they have a number of significant security and user experience disadvantages, so their use should be avoided wherever possible.
MasterCard® Identity Check™ is the solution to the demands of PSD2 and SCA Strong Customer Authentication. It uses the next generation of payment authentication protocols - EMV® 3-D Secure - to reduce fraud and cart abandonment, as well as provide a better customer experience.
MasterCard® Identity Check™ improves digital payment security, increasing approvals and reducing friction for your customers while protecting them and merchants from card-not-present fraud.
PayCEC’s SCA secure payment gateway was established in response to the growing need of global online businesses to accept SCA secure online payments more quickly and easily. In the digital era, our payment flow has evolved to work seamlessly and effectively across all platforms and devices. We pride ourselves on combining superior technology with first-class customer service.
PayCEC’s SCA secure payment gateway for online businesses is a truly global payments platform that not only allows customers to get paid instantly and securely, but also withdraws funds to their business accounts in various currencies.
We have created an open and secure payments ecosystem that entrepreneurs and businesses choose to securely transact with each other online and on any device. We proudly maintain the highest level of client advocacy in the industry.
We are honored to serve as your reliable business partner and financial service provider in the industry and other business-related services. With the help of our professional staff, to help merchants to achieve their goals for the development and expansion of the international business market.
Our payment flow has developed in the e-commerce world to perform seamlessly and effectively across all platforms and devices. We take pleasure in combining technology with customer service, to solve your concerns at the moment.
PayCEC is a fully worldwide payment network that not only allows merchants to be paid immediately and securely, but also allows them to withdraw money in multiple currencies to their company accounts.