What is strong customer authentication?
Strong customer authentication, or SCA, is a European regulation designed to slash payment fraud rates and bolster the security of contactless and online transactions. It affects everything from Google Pay to credit card transactions to contactless at the till.
SCA is tucked into the European Union’s revised Payment Services Directive (PSD2). It was inspired by the European Banking Authority’s regulatory technical standards (RTS) and is enforced by the EBA.
The regulation has been in place since 2019 although deadlines were extended for some jurisdictions. However, this directive has been thrust into the spotlight once again as results are gathered and payments technology continues to evolve. One thing is clear — SCA has changed the European payments landscape forever.
How Strong Customer Authentication works
SCA processes are activated in payer-initiated online transactions across Europe. They also apply when a customer accesses an online account. Contactless payments made in brick-and-mortar store locations also apply. Most credit/debit card payments plus bank transfers require SCA. But traditional face-to-face payments where a chip or PIN is required at the till don’t apply.
SCA is critical, but it isn’t something that happens automatically. In fact, banks are in the habit of declining payments that require SCA but don’t meet the requirement. That’s why it’s important for payment service providers to build this technology into their point-of-sale systems, even if it requires an investment.
This creates some new challenges for payment processing companies. Shoppers should have a frictionless experience so there is a low-risk of shopping cart abandonment.
You can think of SCA as two-factor authentication on steroids. Not every consumer wants to involve their cell phone with transactions. Picture the inner workings of Europe’s payment services directive as being three-pronged. But only two of these requirements must be met for a bank to potentially approve a transaction.
- Something the customer is. Biometrics, like fingerprints, voice patterns or facial recognition technology.
- Something the customer knows. Passwords or passphrases or personal details, for example.
- Something the customer owns. Mobile phone, smart card or hardware token.
Payment flows and card payments
Customers should expect to face greater verification standards when they shop online across Europe. Basically, consumers still must enter their usual account information like a card number, expiration date, CVV and postal code.
But now they must also successfully provide two of the three authentication features attached to SCA. Considering that there are multiple data points to choose from, they should be able to find the winning combination.
Traditionally card payments are a two-pronged scenario involving authorisation and capture. Authorisation happens when the bank approves the transaction and capture occurs when the card is actually charged. But SCA has introduced a third step — authentication.
The authentication step is in place to thwart fraud around card payments. It occurs when the customer is active on a merchant’s website or app, most commonly during the checkout phase.
Here’s how it works.
- A cardholder looking to make an online purchase is prompted by their bank to complete the verification process. At first, the payment system will automatically request an exemption — if the transaction qualifies. Verification is necessary if the transaction doesn’t fall under an exemption or if the bank denies the exemption request.
- Next, the merchant’s system will nudge the bank to approve the transaction. The shopper’s bank will make the call on whether to approve or decline the transaction. If the bank declines, it’s up to the merchant to recapture the customer’s attention to give authentication another go.
- Authentication will take the form of one of the three aforementioned channels — something the customer is (biometrics), owns (mobile device, etc.) or knows (passphrase, etc.)
Merchants are having to invest in technology to revamp their payment flows and accommodate SCA. As of 2022, 40 per cent of U.K. businesses, in particular, changed payment systems to streamline the checkout process in adherence with SCA.
It’s a good idea to tell customers that the shopping experience has changed as soon as possible. Ideally the bank or card issuer will take on this role. Merchants might want to be involved, too. If customers know changes are coming, they’ll be less likely to abandon their carts due to a more intricate verification process.
What is 3D Secure?
Europe’s push toward greater security in ecommerce is intertwined with the rise of a technology called 3D Secure. The card-issuer giants are behind it. As the name suggests, it’s designed to add another layer of security to card payments. This technology places the liability for any fraudulent charges on the financial institution processing the payment, not the merchant.
Most businesses have been exposed to this security layer whether they realise it or not. 3D secure has been rolled out under a couple of brands, including Visa Secure, Mastercard Identity Check and American Express SafePay.
Most recently, 3D Secure 2 has emerged. 3D Secure 2 delivers “frictionless authentication” and a better shopping experience vs. the earlier version. It’s the most widely used system across Europe for SCA and facilitates the exemptions in the rule that merchants can harness. More on that later.
The rise of 3D Secure 2 serves as a reminder that the technology around SCA continues to evolve. PSPS will have to evolve along with it or risk getting left behind.
Contactless payments and digital wallets
The second payment services directive isn’t limited to internet commerce. It also extends to contactless payments at the till, also known as tap and go.
Contactless payments by nature have limits on transaction amounts of up to approximately EUR 100. But considering the cross-border nature of payments, these upper limits can be tweaked.
The rise of digital wallets has forever altered the payments landscape. As consumers increasingly rely on a mobile device to make quick and convenient payments, strong customer authentication must be present here too.
Big tech must have thought it through. Products like Apple Pay, Google Wallet and Square’s Cash App were built with SCA-compliant features like biometric authentication. They don’t require additional verification layers vis-à-vis banks.
Exemptions to the SCA rule
There are exceptions to every rule, and SCA is no different. Payment transactions that are deemed low value most likely won’t have to jump through the SCA hoops. Low value is anything under EUR 30. But in certain situations, like if too many exemptions have been requested in a row, the authentication trigger must be reset.
Shoppers also have the option to keep a running list of beneficiaries. These are merchants that the consumer deems a-okay on the trust scale. The list is kept either with the bank or the payment processing company.
It’s safe to consider digital wallets like Apple Pay and Google Pay exempt from SCA requirements thanks to the level of security already built in. The cardholder’s bank will make this call.
There are other exemptions, mainly involving payee-triggered transactions. When a payment is activated by the merchant, not the payee, the SCA exemption SCA kicks in and enhanced verification isn’t required. This is as long as the bank supports the subscription company.
For example, a Netflix subscription that is contractual in nature is considered a recurring payment. Payees will need to provide strong authentication for the maiden payment transaction but not over and over again, unless perhaps the price increases.
Additionally, low-fraud situations where the value of the purchase is nominal are exempt from strong customer authentication. But to qualify, the fraud rate attached to a payment provider or bank must hover below a certain threshold.
Certain APIs will automatically request exemptions to the SCA rule when they are applicable. The request will generally occur prior to authentication, making the checkout experience somewhat lighter for shoppers and reducing the risk of losing the customer. These limits include:
- 0.13% for payment transactions under EUR 100
- 0.06% for payment transactions under EUR 250
- 0.015 for payment transactions under EUR 500
When in doubt, a bank is likely to decline a transaction.
Customer friction vs. authentication
Chief among the concerns around SCA for e-commerce businesses has been the user interface. Customers have gotten used to functionality that provides a frictionless internet experience. SCA stands to potentially upset the apple cart.
So in addition to cutting down on fraud, observers are also watching to see if consumer behaviors are changing at all due to the enhanced authentication steps. The user experience is key for driving revenues in e-commerce. Getting SCA wrong would be costly for any business.
Hindsight is 20/20. Now that SBA has been integrated into European’s payments industry, the pain points are more obvious.
The U.K. struggled with adopting this standard and therefore got its deadline pushed back to 2022. Meanwhile, Nordic countries had a more seamless experience thanks to more mature electronic payments infrastructure that was nimbler to accommodate. Meanwhile, Spain continues to face challenges with the particularly as it relates to 3DS.
But business owners don’t have to choose between frictionless and security. They can have the best of both worlds. It all comes down to the different types of payment flows.
Geographical scope
You may be wondering about jurisdictional nuances for online card payments. In this case, SCA is relevant when both the merchant and the consumer’s financial institution are based in the European Economic Area (EEA).
Here the deciding factor is based on two-leg transactions. This occurs when both the merchant and the consumer’s financial institution are based in the EEA.
There are exceptions to the two-leg rule. Some European financial institutions must also adhere to SCA for one-leg transactions, when the consumer is located in Europe but the merchant is not.
For payment processing at least two of the authentication buckets must be realised. This produces an authorisation code that allows the payor to make the online purchase.
SCA Pros & Cons
The benefits around SCA are pretty clear. Payment fraud is reduced while consumer confidence for online and contactless transactions grows. Meanwhile, merchants and payment processing companies alike adhere to the same standards across the eurozone, eliminating confusion or an uneven playing field among financial players.
As it stands, many consumers are still taken by surprise by the stronger authentication measures. A survey from 2022 reveals that just over 50% of British survey participants are familiar with SCA. The results were more alarming in Italy and France, where less than 33% of poll participants knew about the stronger verification measures.
The downside is that these consumers are more inclined to abandon their carts when shopping online. Importantly, most consumers agree that the greater protection measures are worth the added hassle. But they are also becoming frustrated and confused by poor checkout experiences.
It’s up to payment processing companies to strike a delicate balance between a frictionless checkout experience and strengthening their anti-fraud technology.
Is SCA working?
The purpose of SCA is to cut down on credit card fraud in the eurozone. The European economy experiences $1.3 billion in fraudulent online transactions annually, according to ECB estimates. Meanwhile, the size of Europe’s e-commerce market is only growing and is forecast to reach $1.1 trillion in volume in 2026.
The U.K. is the biggest target, where there’s reportedly 134 fraudulent transactions for every 1,000 consumers. Fortunately, it appears that SCA is doing what it was meant to do in the U.K. Close to 75 per cent of merchants experienced a drop in online credit card fraud in the first 200 days after SCA became official. Consumers are not complaining either, with 80% of them willing to endure longer transaction times in exchange for greater security.
However, just over one-quarter of online businesses have yet to comply with the latest directive. They are losing over GBP 2 million in sales revenue on a daily basis. Europe may be the first continent to implement SCA. But the world is certainly taking notes.
Stay in English