Strong Customer Authentication explained: What is Strong Customer Authentication Solution for Businesses

In this article, we will discuss everything you need to know about SCA Strong Customer Authentication and SCA regulation. We will cover what SCA exactly is, which transactions are exempt or out of scope, and how SCA applies to your business, together with how can PayCEC payment gateway help you meet the SCA compliant requirements? Let’s get started by asking if you understand what SCA Strong Customer Authentication is.

What is SCA Strong Customer Authentication?

SCA Strong Customer Authentication is a European regulatory requirement under PSD2, designed to protect the confidentiality of the authentication data and make SCA online payments more secure.

With SCA Strong Customer Authentication, there are more ways to authenticate shoppers than the traditional ‘something they know’ (like a password). You can now combine other data points, as long as they are from at least 2 different categories.

Combining a fingerprint and a one time authentication code for SCA secure.

For example:

• Combining facial recognition or fingerprint (something they are) with your smartphone (something they own)
• Combining a code sent to your smartphone (something they own) with a personal password (something they know)
• Combining a fingerprint or a one time authentication code sent to a smartphone with your account login.

Your customers may need to provide two forms of identification to their bank when shopping from your e-commerce store. This applies for Strong Customer Authentication face-to-face payments from September 15, 2021 in the UK, and from January 1, 2021 in most of the EEA for e-commerce. If your customer cannot be identified using two factors, their payments to you might be considered non-SCA compliant and be declined.

Your bank or the payment service provider company that provides the checkout service for your website will be able to “switch on” the technology required to perform the checks required by the Strong Customer Authentication regulation.

SCA face-to-face payments

Strong Customer Authentication applies to most face-to-face transactions, which are the oldest form of doing business. Chip & PIN transactions are SCA compliant, but sometimes your customers may be prompted to enter their PIN when making contactless payments.

Customers have more confidence and feel more secure with great service and more payment options. Taking card payment at your sales outlet is a face to face transaction. The customer pays using the Chip & PIN terminal.

For example, the MasterCard Biometric Cardcombines chip technology with fingerprints to conveniently and safely verify the cardholder’s identity for in-store purchases. An embedded sensor that’s powered by the chip, authenticates identity through a fingerprint, and can be used at EMV terminals worldwide.

Another example is the e-wallet which is a protected digital account based in a mobile app, where you can store and access your money. It offers a great alternative to your typical banking account. Using an e-wallet allows you to keep your funds in one designated place and removes the need to carry cash or a wallet. As you enter the PIN shown on your voucher receipt given in store at time of purchase, your account will be credited immediately allowing you to make seamless, effortless online and offline payments.

Transfer of funds to the payee, would be subject to SCA Strong Customer Authentication by the wallet provider (unless an exemption applies). This would significantly simplify the consumer experience and avoid customer confusion, who would avoid having to go through two separate authentication processes within such a short timeframe for the same transaction.

SCA online payments

On September 14, 2019, SCA Strong Customer Authentication became a requirement for businesses processing SCA online payments in Europe.

Your customers may be asked to verify their identity with two factors during the checkout process. A technology called 3D Secure can help you meet this SCA online payments requirement. The latest version of this technology (called EMV 3DS) will provide your customers with the most convenient experience as they go through this process, reducing the likelihood that any additional steps will be required by your customer, and removing friction from the purchase process. This version of the technology is also more suited for use on mobile devices.

In order to support these SCA online payments, you might need to integrate PayCEC’s virtual terminal payment gateway .

Please contact PayCEC for further information to ensure you are ready to meet the new requirements for SCA online payments from September 15, 2021.

KEY TAKEAWAY

• Strong Customer Authentication is a European requirement introduced to make online payments more secure and reduce the risk of fraud.
• Strong Customer Authentication requires customers to authenticate themselves using two factors prior to making SCA online payments.
• However, Strong Customer Authentication does not need to be applied to all transactions. Some transaction types are out of scope, and exemptions may be applied in some other cases.

The SCA requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Shoppers need to complete extra levels of authentication when they pay online. These levels of Strong Customer Authentication involve asking customers for 2 of the 3 factors in Table 1:

The SCA requirement increases the security of electronic payments.

Table 1

Each of the two factors must be from a different category and must be independent, such that the breach of one does not compromise the reliability of the other.

KEY TAKEAWAY

- Strong Customer Authentication solution requires the authentication of a payer based on the use of two or more elements categorized as:

• Knowledge (something only the user knows).
• Possession (something only the user possesses).
• Inherence (something the user is).

PSPs (Payment Service Providers) are required to have effective transaction monitoring mechanisms in place, to detect unauthorized or fraudulent payment transactions.

These mechanisms should allow capturing of the following information:

• Lists of compromised or stolen authentication elements.
• The amount of each payment transaction.
• Known fraud scenarios.
• Signs of malware infection in any sessions of the authentication procedure.
• The access device or the software is provided by the PSP, a log of the use of the access device or the software and any abnormal use.

The countries in Table 2 represent those participating in the European Economic Area, and therefore subject to SCA regulation.

Table 2

While the UK is no longer in the EEA (European Economic Area), equivalent SCA requirements apply in the UK, and will be enforced for e-commerce from September 14, 2021.

Although not part of the European Economic Area (EEA), based on local law, Strong Customer Authentication may apply to transactions in regions that are associated with countries within the EEA. Examples include micro-states and city-states in Europe, along with territories of EEA countries outside of Europe. Clients in those regions should contact their local regulator to determine if Strong Customer Authentication solution applies, and how to comply with SCA regulation to optimize their performance of Strong Customer Authentication.

Implementing Strong Customer Authentication differs depending on the payment method. For credit and debit cards, 3D Secure is usually applied. E-wallets and other local payment methods often provide their own SCA compliant authentication step.

3D Secure

The protocol 3D Secure provides an extra layer of authentication to verify the customer’s identity. It's supported by most European debit and credit card companies. Once the customer completes the Strong Customer Authentication step, the issuing bank, not the business, becomes liable for any fraudulent chargebacks.

3D Secure 2 (3DS2) provides a more user-friendly experience than 3D Secure 1 (3DS1). Each version is SCA compliant, but we recommend that you support both 3D Secure 1 and 3D Secure 2.

E-wallets & Local payment methods

Apart from 3D Secure, you can also make sure you meet SCA requirements with local payment methods and mobile wallets. These have the added advantage of increasing conversion rates in certain markets and use cases. International e-wallets like Apple Pay and Google Pay™ also provide checkout flows that meet the new SCA requirements.

Ensure that local payment methods and mobile wallets meet SCA requirements.

According to MasterCard , fewer than 5% of merchants use technology that supports Strong Customer Authentication, and over 75% don’t know what the SCA requirements are. Whether you’re ready or not, any non-SCA compliant transactions, after the September 14, 2021 deadline, will be declined by the cardholder’s bank. This could prove extremely costly for your business. Especially if the majority or all of your income comes through online payments.

The FCA has stated that: "After September 14, 2021, any firm that fails to comply with the SCA requirements will be subject to full FCA supervisory and enforcement action".

However, rather than seeing this as a risk to your business, it could be an opportunity. Being proactive now, and ensuring you’re ready for Strong Customer Authentication, could help you stay ahead of your less organized competitors.

The good news is that PayCEC’s SCA compliant payment gateway is established for merchants who want to make changes to become SCA-ready. PayCEC’s SCA compliant payment gateway is a great option with strong compliance features built into it to better protect you and your customer’s sensitive data. Why not discover how our PayCEC’s SCA compliant payment gateway could help safeguard the business you’ve worked so hard to build up.

There are some e-commerce transactions which are out of scope of the SCA regulation and others that may be exempt (no Strong Customer Authentication required).

Strong Customer Authentication exemptions are defined based on the level of risk, amount, recurrence, and the payment channel used for the execution of the payment. These Strong Customer Authentication exemptions allow PSPs to achieve the right balance between convenience of the payment experience and fraud reduction.

The Strong Customer Authentication exemptions are available only to PSPs. The Strong Customer Authentication exemptions are not available to merchants, unregulated payment gateways, or other unregulated entities.

Your bank/checkout provider may also be able to help you “flag” the payments that don’t require Strong Customer Authentication. This adds a certain code so that some payments can pass through without the need for extra checks. By correctly identifying out of scope transactions and applying exemptions (no Strong Customer Authentication required), merchants and issuers can minimize friction, and reserve Strong Customer Authentication for when it is needed.

SCA Secure Customer Authentication impacts the entire chain of payment, and SCA online payment is clearly the most complex SCA Secure Customer Authentication process. By setting up PayCEC’s SCA compliant payment gateway, you not only benefit your business through ensuring SCA compliant requirements and accept more SCA online payments, but also benefit from your customers through increasing their trust and confidence, as well as delivering a frictionless purchasing experience, even when SCA Secure Customer Authentication is required.

SCA Secure Customer Authentication impacts the entire chain of payment.

Merchants should work with their acquirers to develop Strong Customer Authentication exemption strategies that respond to their business needs. To learn more about transactions that are either out of scope or exempt from Strong Customer Authentication, please contact PayCEC Relationship Manager for details.

The key Strong Customer Authentication exemptions are listed in Table 3, and one only may be applied for each transaction by either the issuer/acquirer.

Table 3

The payment card transactions listed in Table 4 are considered to be out of scope of the SCA Strong Customer Authentication mandate.

Table 4

While the list of Strong Customer Authentication exemptions is now quite clear, the end customer’s bank will ultimately decide whether an exemption is valid. If a Strong Customer Authentication exemption is not granted, the payment will trigger a decline code. The payment will need to be resubmitted and authorized using Strong Customer Authentication protocols.

Strong Customer Authentication exemptions keep the customer journey frictionless.

KEY TAKEAWAY

• Strong Customer Authentication exemptions aim to keep the customer journey frictionless for specific payment scenarios.
• Out of scope transactions are not covered by the PSD2 mandate and don’t require Strong Customer Authentication.

Visa is actively monitoring the Strong Customer Authentication performance of the ecosystem, and engaging with participants where needed to help them to find Strong Customer Authentication solutions that allow customers to continue to make seamless payments. Therefore, in February 2020, Visa had launched its EMV 3DS, which is an industry standard protocol adopted by all major card schemes and serves as the mechanism for cardholder authentication at the time of an e-commerce purchase.

Visa strongly recommends that participants in the remote payments ecosystem adopt EMV 3DS for authenticating cardholders and as a means to apply SCA Strong Customer Authentication. This supports businesses in tracking and improving their Strong Customer Authentication performance, as well as reducing cart abandonment rates, and delivering a high quality, low-friction UX to create an optimal user experience.

Biometrics are the simplest and safest way to apply Strong Customer Authentication. They minimize checkout friction and many customers are familiar with them and find them attractive. Visa’s EMV 3DS enables biometric authentication, for example via a mobile banking app to provide an inherence factor. While knowledge factors are compliant from a regulatory perspective, they have a number of significant security and user experience disadvantages, so their use should be avoided wherever possible.

MasterCard® Identity Check™ is the solution to the demands of PSD2 and SCA Strong Customer Authentication. It uses the next generation of payment authentication protocols - EMV® 3-D Secure - to reduce fraud and cart abandonment, as well as provide a better customer experience.

MasterCard® Identity Check™ improves digital payment security, increasing approvals and reducing friction for your customers while protecting them and merchants from card-not-present fraud.

MasterCard® Identity Check™ gives you:

• Enhanced security.
• Greater flexibility.
• Easy checkout.
• Save time and money.
• Increase revenue.
• Stand out from competitors.

KEY TAKEAWAY

• MasterCard® Identity Check™ will help you manage SCA requirements, giving you and your customers greater peace of mind.

Read more:

• What is PCI DSS?
• What is the Second Payment Services Directive (PSD2)?
• Learn About SEPA Payment Gateway and SEPA Payment Method
• 4 types of payment gateway - Advantages and disadvantages
• What is difference between 2D and 3D payment gateway?
• List of 50 states of America in alphabetical order

About PayCEC

PayCEC’s SCA secure payment gateway was established in response to the growing need of global online businesses to accept SCA secure online payments more quickly and easily. In the digital era, our payment flow has evolved to work seamlessly and effectively across all platforms and devices. We pride ourselves on combining superior technology with first-class customer service.

PayCEC’s SCA secure payment gateway for online businesses is a truly global payments platform that not only allows customers to get paid instantly and securely, but also withdraws funds to their business accounts in various currencies.

We have created an open and secure payments ecosystem that entrepreneurs and businesses choose to securely transact with each other online and on any device. We proudly maintain the highest level of client advocacy in the industry.

PayCEC Team

• [email protected]
• +44 2032 864370
• www.paycec.com