Strong Customer Authentication (SCA) requirements officially went into effect on 14 September 2019. They aim to make the online payments system safer for both merchants and consumers; SCA is designed to verify that an online customer is who they say they are by adding an extra layer of protection at the time of the transaction, when a customer pays online. 

To date, few European banks have started enforcing these requirements and declining non-authenticated payments. This is due to a temporary enforcement delay announced by the European Banking Authority on 21 June 2019. On 16 October 2019, the European Banking Authority further announced that the new SCA requirements should be fully enforced by 31 December 2020.

What are the changes?

In the past, E-commerce customers only had to give their card number and the CVC verification code to pay online. From 14 September 2019 onwards, more information will be needed for the transaction to succeed. The move is intended to prevent fraudulent payment transactions, stopping millions of pounds worth of fraud every year.

Two different types of checks – known as two-factor authentication – will be introduced for some online payments. In the past, additional authentication might have been a password or a question like What is your mother's maiden name?, but now, more sophisticated methods will be allowed, from fingerprints to wearable devices or tokens.

The changes apply to online payments within the European Economic Area (EEA), when both the cardholder's bank and the business's payment provider are in the EEA. They are the result of the banking and payments industries working together with regulators to create a solution to the EU Payments Services Directive (PSD2). These changes will be made whatever the UK's relationship with Europe in September, as the new rules are being passed into UK law.

You need to make sure your business understands what these changes mean for day-to-day operations and how to remain compliant.


When will Strong Customer Authentication be used?

Strong Customer Authentication (SCA) applies when a customer:

  • Logs on to their online payment account
  • makes an electronic payment online
  • carries out another potentially high-risk transaction online, like changing their telephone number

To comply with the regulations, a new standard for verification, 3D Secure 2.0, will be required. 

A much higher number of transactions requiring authentication are likely and you may need to upgrade your website to support this new functionality. The new 3D Secure is designed to operate more smoothly and seamlessly with both desktop and mobiles, improving the payment experience for customers.


Transactions that do not need SCA

Some payments will be exempt from SCA. These include transactions that are:

  • Low value (below €30) An electronic transaction that is below the value of €30, doesn’t number more than 5 transactions, or exceed a €100 cumulative spend value.
  • Contactless (below €50) A contactless card transaction that is below the value of €50, doesn’t number more than 5 transactions, or exceed a €150 cumulative spend value.
  • Below the fraud rate threshold
  • From a trusted beneficiary – whitelisting When the cardholder has listed a particular merchant as a trusted beneficiary with their bank, transactions will be exempt from 3D Secure. This process is also known as whitelisting. This means customers who shop with you regularly and add you to their whitelist will not usually need to authenticate payments with you again. Adding or amending details about a trusted beneficiary will require additional authentication. It's also worth knowing that issuers can still reject the whitelisting request if the customer is thought to be high fraud risk.
  • Mail orders and telephone orders
  • Subscriptions Recurring transactions like subscriptions with a fixed amount will be exempt from the second transaction onwards – once the initial transaction has been authorised.