Get your e-commerce site ready for Strong Customer Authentication (SCA)

If you are a business operating online that also takes payments online you may well already be aware of the changes to payment authentication measures that will come in to effect later this year. As part of the EU Payment Services Directive, which took effect in January 2018, many online transactions will now be subject to a layer of additional security authentication, specifically Strong Customer Authentication (SCA). This will apply to the majority of transactions valued over €30. This means that customers spending over this amount will no longer be able to buy online using just their card details, and will need to provide an additional layer of security information in order to be able to complete their transaction successfully.

So why is this being introduced?

The short story is, it’s currently far too easy to commit payment fraud online. Losses because of payment fraud have steadily increased over the past decade. As more and more of our day to day financial transactions move to online, it is inevitable that this will only continue to increase along with it. The European Commission has therefore deemed it necessary to intervene and place strong customer authentication requirements on participants to reduce online payment fraud and stop it’s growing numbers escalating further, as one of the core components of PSD2.

What’s changing?

From 14^th September 2019, all ecommerce transactions will be processed via secured industry protocols, namely 3DSecure. Additional authentication will be needed for online transactions, although there are some notable exceptions to this which we’ll talk about later in this blog.

Strong customer authentication (SCA) requires at least two independent pieces of data in it’s authentication process. Each electronic payment will require this authentication, known as multi-factor authentication (MFA) or two-factor authentication (2FA). There are three available types of form factor for such transactions. These are:

Knowledge – Something only the customer knows, such as a PIN or a password.

Possession – Something only the customer has, such as a card reader, or a mobile phone.

Inherence – Something the customer is or is unique to them, essentially a biometric such as a fingerprint, facial/voice recognition.

As mentioned before there are some exemptions to the SCA requirements, and these include:

Face-to-face contactless payments – provided the single transaction does not exceed €50 in total

Low value online payments – The value of this must not exceed €30 in total

Whitelisting – It will be possible for a customer to add a trusted merchant to a list of trusted beneficiaries held by their own Issuer (however they will be required to complete the SCA in the process) to prevent further SCA authentication requirements on any future transactions with that particular merchant.

Recurring payments – These must be made to the same merchant for the same amount each time to be exempt. So as an example, your Netflix subscription will likely be exempt.

What else will change?

The new rules will also affect some contactless payments in stores. After 14^th September, card issuers are required to prompt the Cardholder to perform a Chip and Pin transaction each time their cumulative contactless spend reaches €150 since their last Chip and Pin transaction.

What will happen after 14^th September 2019?

If your ecommerce transactions are not processed via a secure industry protocol such as 3DSecure by 14^th September then it is likely that payments made through European issuers will start to be declined. The current 3DSecure implementation (3DSv1) will continue to be supported until the end of 2020. After this 3DSecure v2 will become mandatory worldwide.

What should I do next?

How far these changes will affect your own business will really depend on the type and size of transactions that you take on your website. The best thing to do in order to have a clear understanding of the impact on your own business is to discuss the changes directly with whichever merchant you use for payment integrations on your website, or check their website for any provider-specific advice.