Strong Customer Authentication (SCA): History & Compliance
More than half of all fraudulent card transactions in the Single Euro Payments Area (SEPO), which encompasses 35 European countries, involve online transactions. In 2019, the strong customer authentication, or SCA, requirements were enacted to help protect customers and financial institutions operating within the European Economic Area (EEA) from fraud and financial crime.
A requirement of the European Union Revised Directive on Payment Services (PSD2), the SCA requires that electronic payments made through payment service providers in the EEA enact multi-factor authentication (MFA) to add an extra layer of security for payments made electronically or online.
What is strong customer authentication (SCA)?
In an effort to make contactless payments more secure and reduce fraud, as part of the revised Payment Services Directive (PSD2), the SCA (strong customer authentication) was enacted on September 14, 2019, for businesses who process payments in Europe. A European regulatory requirement, the SCA requires the use of MFA (multi-factor authentication) to make payments more secure by adding additional authentication to the checkout flow.
To comply with SCA requirements, merchants are required to ask for at least two of the following elements during checkout of an online transaction:
- Something a customer knows: This is often a password or PIN.
- Something a customer has: This could be a smartphone, software, or hardware token.
- Something a customer is: This typically involves a form of biometrics, such as a fingerprint or retina scan or facial recognition.
Banks are required to decline transactions that do not meet SCA requirements. The use of more dynamic data points can more accurately verify the identity of a customer.
Prior to the SCA requirements, banks were only able to ask for a static password. SCA uses MFA to make online transactions more secure.
Who is in charge of strong customer authentication?
Strong customer authentication is enforced by the European Banking Authority (EBA) within the EU (European Union). In the UK, it is governed by the Financial Conduct Authority (FCA).
Banks and financial institutions, not merchants, are required to comply with the PSD2 SCA regulations. Banks are required to maintain SCA compliance. They are in danger of violating the law in their country if they do not decline non-compliant transactions.
The method of implementation for SCA regulations during these transactions can depend on the type of transaction. Online debit and credit card transactions often rely on 3D Secure 1 (3DS1) or the more secure 3D Secure 2 (3DS2). Local payment methods and e-wallets often use their own specific SCA-compliant authentication methods.
With 3DS2, which is supported by most European credit and debit card companies, an extra authentication step is added after checkout by their bank. This can commonly include a one-time code sent to the customer’s smartphone or fingerprint authentication within their mobile banking app. Digital wallets and international e-wallets, such as Apple Pay and Google Pay, may also support SCA requirements.
When is strong customer authentication necessary?
Strong customer authentication is required when a transaction is considered to be “customer initiated.” This will include bank transfers and online purchases. When a transaction is considered to be “merchant initiated,” such as with recurring debits, SCA is not required.
The SCA is required for online European payments when both the cardholder’s bank and the business are both located in Europe. SCA compliance is required for online payments made in the EEA (European Economic Area), the UK, and Morocco. It requires online shoppers to perform an extra level of authentication upon checkout.
The SCA first took effect on September 14, 2019, but it was delayed in many areas until businesses were able to gain compliance. The SCA in the UK, for example, was delayed until March 14, 2022. This delay was to minimize disruption for merchants and limit friction for consumers as much as possible.
Exceptions to the SCA
There are some cases where an SCA-exemption can be used. The merchant will request the exemption from the bank or credit card company when processing the transaction.
The merchant is able to assess the level of risk and determine if the transaction is out of scope of the SCA. If it is, it can be exempt from the extra layer of authentication. This can be desirable in some cases, as SCA authentication regulations can mean more friction for the customer and more potential customer drop-off rates for the merchant.
Common exemptions to the SCA regulations include the following:
- Low-risk transactions: If the provider or bank’s fraud threshold is below the following threshold:
- 0.13% for transactions below €100
- 0.06% for transactions below €250
- 0.01% for transactions below €500
- Low-value transactions: Transactions that are under €30 or €100 cumulative on the same card are exempt. However, the issuing bank is to keep track of the number of exemptions.
- Recurring transactions: If the transaction is a fixed amount and recurs, after the initial transaction fulfills SCA requirements, additional transactions are exempt. As these are fixed and recurring, they can fall under “merchant initiated” transactions and therefore are no longer under the scope of the SCA.
- Trusted beneficiaries: The customer is able to put certain chosen merchants on a whitelist held by their bank that are then exempt from following SCA regulations.
- B2B transactions: When using a payment instrument dedicated to making B2B transactions, transactions between two corporations can be exempt from SCA.
As previously discussed, “merchant-initiated” transactions that do not have direct customer involvement are out of the scope of SCA regulations. Phone transactions and mail-order transactions are also out of scope, as these are not considered to be electronic.
If the issuer of the card or the cardholder is not based in the EEA, Monaco, or the UK, they are also not under the scope of the SCA.
Strong customer authentication outside of Europe
Other financial regulatory boards in countries outside of the European Union, Morocco, and the UK are looking to implement strong customer authentication as well. For example, the Reserve Bank of India has mandated an “additional factor of authentication” for card-not-present, which are typically online, transactions.
In Australia, the Australian Competition & Consumer Commission (ACCC) blocked efforts to make 3D Secure mandatory due to complaints that it would disrupt the consumer’s experience and therefore cause merchants to potentially lose sales.
As technology advances and financial fraud increases, it is likely that additional countries are going to adopt higher levels of authentication for online purchases, including protocols like the SCA.
Additional resources
You can read more details on the regulatory standards for electronic payments in the European Union (EU) here.
The technical standards behind the PSD2 and SCA are detailed here.
Major credit card companies, such as Mastercard and Visa, offer details on how they work to remain compliant with SCA regulations and requirements.
References
Payment Fraud. (2022). Europol.
Payment Services (PSD 2) – Directive (EU) 215/2366. European Commission.
EBA European Banking Authority. (2018). European Banking Authority (EBA).
FCA Financial Conduct Authority. (2022). FCA.
3DSecure2. 3DSecure2.
Apple Pay. (2022). Apple, Inc.
Google Pay. (2022). Google.
SCA Rules Come into Force Today for E-Commerce Transactions. (March 2022). Infosecurity Magazine.
Reserve Bank of India India’s Central Bank. Reserve Bank of India.
Welcome to the ACCC. Australian Competition & Consumer Commission (ACCC).
Commission Delegated Regulation (EU) 2018/389. (March 2018). Official Journal of the European Union.
Final Report on Draft RTS on SCA and CSC. (February 2017). European Banking Authority (EBA).
Strong Customer Authentication (SCA). (2021). Mastercard.
Strong Customer Authentication. (2022). Visa.