As online shopping continues to grow at an exponential rate, it's presented new opportunities for cyber criminals to exploit cardholder information. According to Juniper Research, online payment fraud is forecast to cost merchants over US $362 billion between 2023 and 2028, with losses expected to reach US $91 billion alone in 2028.
This has prompted regulatory authorities to introduce new payment legislation and mandates to safeguard customers and merchants against eCommerce-related fraud. One such mandate is Strong Customer Authentication (SCA), a Payment Service Directive 2 (PSD2) regulation that aims to strengthen security for online payments.
In this article, we’ll dive into what SCA is, when SCA is required and when SCA exemptions can be applied, as well as other things.
What is Strong Customer Authentication (SCA) and what is it used for?
The European Commission mandated SCA, as part of its PSD2 legislation, to provide an additional layer of security for online payments to reduce instances of fraud. It requires eCommerce transactions processed in the UK, Monaco and EEA to be authenticated using two or more of the following identification factors:
It should be noted that the above authentication factors should be independent such that if one factor is compromised, the reliability of the other factor remains intact. Moreover, the choice of factors to be used is dependent on the issuer, which can be determined using a Merchant Plugin (MPI).
How does SCA work?
Your payment service provider (PSP) is responsible for making sure that all relevant transactions are SCA compliant. They can achieve this by implementing 3DS2 (also known as 3D Secure 2.0 or Three-Domain Secure 2.0), which is the most common security protocol used to satisfy the PSD2’s SCA requirement.
The protocol seamlessly incorporates the SCA requirement with your existing checkout experience and will go through an authentication flow, based on the issuer’s requirements. This allows customers to complete the additional authorisation steps within your website, with no redirection necessary. This way, your business can ensure that your customers have a safe, secure and seamless payments experience.
There are select occasions when SCA will be requested for card present transactions; for example, when the card user has exhibited buying behaviour that may be interpreted as fraudulent. This means contactless payments may need to be followed by the entry of a PIN. In these cases, the PIN and the card itself fulfil the first two SCA categories, knowledge and possession.
SCA vs non-SCA payments
According to the FCA, SCA applies when a payer(s) is located in the UK and/or EEA:
- Initiates an electronic payment transaction
- Accesses their bank account online
- Carries out any action remotely that may imply a risk of payment fraud unless an exemption applies
There are also certain transactions that are classed as out of scope (or non-SCA), which means SCA doesn’t need to be applied. This includes:
- Initiates an electronic payment transaction
- Accesses their bank account online
- Carries out any action remotely that may imply a risk of payment fraud unless an exemption applies
- One-leg transactions, which is a cross-border payment where only one of the parties (e.g. issuer or acquirer) is located in an SCA-mandated country.
- Mail Order or Telephone Order (MOTO) payments
- Anonymous payments (e.g. gift cards)
- Merchant-initiated transactions (including recurring payments)
However, you’ll find there are certain cases where payments are eligible for exemptions to SCA (more to come on this in the next section).
What are SCA exemptions?
In addition to out of scope payments, your payment service provider can apply for an exemption for specific transactions, depending on the risk level of the payment, transaction value and frequency of the purchase, among other things. However, in doing so, the chargeback liability will then shift from the issuer to the merchant.
Please note, the issuer can choose to decline a payment and request SCA, even if an exemption has been submitted.
- White-listed merchant: Customers can request that their issuer white-lists a specific merchant, meaning the merchant’s transactions are explicitly allowed in advance.
- Transactions under €30: Purchases valued below €30 are considered “low value” and don’t require two-factor authentication unless a customer makes five consecutive transactions or reaches a value of more than €100.
- Delegated authentication (certified wallet): An issuer can give a third-party the authority to perform SCA on their behalf.
- Low-risk transactions: A Transaction Risk Analysis (TRA) can be conducted by an issuer to assess a transaction’s risk level, which is based on the average fraud levels of the acquirer.
Further to this, businesses may also be eligible for a Secure Corporate Payment (SCP or Business to Business Payment) exemption. This can be applied to any corporate payments made on an eligible commercial card (e.g. physical cards, lodged or embedded cards, and virtual cards) within a secure corporate environment, as defined by the National Competent Authority (NCA). Please note, personal cards used for business purposes are not eligible for SCP exemptions and are subject to SCA requirements, even if they are carried out within a secure corporate environment.
For more information, see Visa’s infographic on SCA exemptions and Visa’s infographic on SCP exemptions.
A quick history of SCA – how does it relate to PSD2?
As the adoption of online payments accelerated through the 2010s and far exceeded the initial expectations of the 2000s, the top priority for financial institutions, especially those based in the EEA and EU, was to ensure that this enormous market would be maintained, regulated and ultimately safe for consumers.
The first Payment Services Directive (PSD1) was introduced in 2007 to regulate the industry, build a single digital market in the EEA and EU, and allow fintech companies to enter the payments market. Prior to PSD1, only banks could provide payment services.
When the PSD2 legislation was released in 2018, it introduced the SCA as a new mandatory feature to safeguard customers against fraudulent activity. To comply with SCA and PSD2, the best option for merchants is to implement 3DS2 (which we’ve touched on previously).
Where is SCA required?
SCA is applicable where both the card issuer and the acquirer are in the UK, Monaco and/or EEA. The EEA includes EU countries as well as Iceland, Liechtenstein and Norway. However, in the case of a one-leg transaction, where only one of the parties (e.g. card issuer or acquirer) is based in these countries, then SCA is not required.
How emerchantpay can help
emerchantpay is a PCI Level 1 compliant payment service provider and acquirer. We’ve been helping to make payments easy for businesses for over 20 years. Our all-in-one payment solution is fully compliant with PSD2 requirements, allowing you to adhere to any SCA requirements and protect your customers and business from fraud.
Alongside this, we use a robust real-time, risk-based analytics engine to help you process payments globally with the highest level of security. You’ll also have your very own Risk Analyst to advise on the best payment risk management practices, which include velocity checks, transaction count and amount thresholds, to protect you from financial exposure.
If you’d like to hear more about emerchantpay’s solutions for 3DS2, reach out to a member of our team today.