Strong Customer Authentication (SCA) is a requirement of the updated Payments Services Directive (PSD2) and requires banks to perform additional checks when a consumer makes an online purchase to verify their identity. Strong Customer Authentication aims to reduce fraud, protecting consumers and merchants alike. As merchants, it’s essential to be informed and stay up to date with Additional SCA identify verification step ups. They have the potential to cause friction during the checkout process. There are also exemptions to SCA which can be applied and would exclude some transactions. Merchants should be aware of all of these factors. Overall, by recognising the opportunities of SCA, we can identify ways to maximise revenue and the customer experience, while reducing fraud and abuse.
What does SCA mean?
Strong Customer Authentication will apply to customer initiated online payments, the regulation has been implemented across Europe from the 1st January 2021 and will be enforced in the UK from the 14th March 2022.
In simple terms, Strong Customer Authentication is a process that authenticates the identity of customers, allowing them to complete online payments.
But how does payment SCA confirm your identity? Well, Strong Customer Authentication will look at three factors to determine a customer’s identity. These factors are known as knowledge, possession, and inherence. This means SCA will seek to identify something you know, like a PIN or password; something you own; such as a mobile phone or tablet; or something you are; scanning fingerprints or using facial recognition.
Together, these factors come together to verify your identity, and customers in the UK and EU must prove at least two before completing their online purchases.
What are the exemptions to SCA?
PSD2 has changed the way that payments are secured. Before the regulation was introduced, SCA was only needed if a consumer was at a high risk of fraud. But now, all transactions are considered a risk. Only payments that meet certain criteria are exempt from requiring Strong Customer Authentication.
SCA exemptions are granted where transactions are considered to be low risk. These include:
Card transactions under €50
These are low-value transactions, and as such, they qualify for a low-value exemption. However, SCA can be triggered if five consecutive low-value purchases are made, or if the total value of low purchases exceeds €100.
TRA or low-risk exemption
TRA stands for transaction risk analysis. Under TRA, a transaction undergoes a real-time risk assessment. If it is deemed to be a low-risk transaction, it will be exempt from SCA. To take full advantage of the low-risk transaction exemption, a merchant needs to keep its fraud rate below specific fraud rates.
SCA is not required on subscription services. While an initial SCA may be needed to verify your identity, subsequent charges do not need your verification.
If a customer trusts a merchant, customers can ask their bank to whitelist their purchases. This means that SCA will not be required when buying through them. This may be used for repeat transactions. This does not prevent SCA altogether, as if there is a risk of fraud, it may still be required.
If payments are processed through a secured, dedicated payment protocol, business-to-business payments may also be exempt from SCA.
Transactions that are out of scope
Certain payments can be excluded from SCA regulation. These transactions are considered ‘out of scope’, meaning that SCA rules will not apply, and exemption is not necessary. Transactions that are out of scope of SCA include:
Phone or email orders
A merchant can accept payments through mail order or telephone order. These transactions are normally encrypted using methods similar to those paying online. While these payments are out of scope of SCA, they may require more action from the customer.
Prepaid card transactions
Prepaid cards are a little different to normal debit cards. They must be preloaded with cash before their use, and you can only use the balance on the card. One benefit of prepaid cards is that they are out of scope of SCA and can be easily acquired by those with a low credit score, meaning more customers have access to ecommerce stores. Prepaid cards also include gift cards that attribute credit to customers for use at a specific retailer.
One Leg Out transactions (OLO)
Transactions where the acquiring bank or the issuing bank is outside the UK and the European Economic Area are out of scope of SCA. This means that if one of the PSPs (either the payer or the payee) are outside of the UK or EU, then SCA will not be required.
Minimising the Disruption: Merchant's Guide to Simplifying SCA
Signifyd explains everything you need to know about SCA, how will it impact your ecommerce business, and how to prevent future fraud. Download the ebook.