In January 2018, the second Payments Services Directive (PSD2) introduced new requirements for authenticating online payments. Known as Strong Customer Authentication, the changes are expected to be rolled out throughout 2020 and 2021 across the European Economic Area (EEA).
In this short guide we’ll talk you through the new Strong Customer Authentication (SCA) rules. Learn what SCA is, how your business can become SCA compliant and why Strong Customer Authentication matters.
What is Strong Customer Authentication (SCA)?
Strong Customer Authentication (SCA) is an upcoming European regulatory requirement that introduces additional security measures for certain online payments.
In practice, this means that customers can no longer check out by simply using their credit or debit card details. An additional form of identification will be required to complete the transaction.
SCA is therefore a form of two-factor authentication. Many businesses and online merchants may already have two-step verification methods in place but the rules around what constitutes authentication under SCA are specific. With Strong Customer Authentication, end-users will have to prove that they are who they say they are by validating at least 2 factors from a combination of 3 authentication categories.
What are the 3 authentication categories?
The three valid authentication categories available under SCA are:
- Knowledge: Something the customer knows (i.e. password, PIN, secret answer)
- Possession: Something the customer has (i.e. mobile phone or token)
- Inherence: Something the customer is (i.e. fingerprint, facial recognition, voice recognition)
Payment can only be completed once two independent factors have been validated. The use of the word “independent” here is key – factors cannot be contingent upon one another such that if one is compromised it compromises the reliability of the other.
Why is SCA being introduced now?
Strong Customer Authentication aims to reduce fraud by making online payments more secure.
According to the latest Fraud the Facts report, a “colossal” £1.2 billion was stolen in the UK through fraud and scams in 2019. Throughout Europe, Card Not Present (CNP) transactions are said to be driving an increase in payment card fraud. In 2013, 11 out of every 1000 cards issued within the SEPA region saw fraud; by 2016, that number had more than doubled with some countries witnessing even larger percentage increases.
Strong Customer Authentication has the potential to deliver substantial savings across the EEA for both businesses and individuals.
Direct Debit is one of the safest and most convenient payment methods, used by millions worldwide. Read our handy guide to find out how the Direct Debit guarantee protects you.
What transactions will Strong Customer Authentication be applied to?
SCA will apply to “customer initiated” transactions within the European Economic Area (EEA). This means that most online payments and bank transfers must comply with the new regulations where the business’ payment service provider (PSP) and the customer’s bank/card provider are situated in the EEA. Businesses should check which of their payment flows fall under the SCA rules and check with their PSP that they can facilitate SCA compliance.
However, there are numerous transactions that will be exempt from Strong Customer Authentication. Exemptions include:
- Low value exemptions – for card transactions under 50 euros, provided that multiple payments are not attempted.
- Recurring payment exemption – such as subscriptions or membership fees. SCA will apply during the initial Continuous Payment Authority set up for card payments but will not be required again provided the payment amount does not vary. For business models that vary their subscription amounts or bills for add-ons (thus changing the payment amount), SCA will likely need to be applied again. However, whether or not SCA is applied is dependent upon who initiates the payment (customer or merchant) and if the amount billed is within the reasonable expectation of the payee.
- Whitelisting exemption – customers are able to whitelist a merchant they trust following initial SCA during payment setup.
It is not expected that Brexit will impact compliance for UK businesses.
When will Strong Customer Authentication be enforced?
In the UK, the deadline for compliance with Strong Customer Authentication has been revised to 14th September 2021.
The Strong Customer Authentication practices were originally scheduled for roll out on September 14th 2019 across the EEA. However, the UK regulator announced an 18th month enforcement delay in August 2019 and then on 30th April 2020, granted an additional 6 months delay due to the Covid-19 crisis. Thus, giving the revised deadline of 14th September 2021 for businesses operating in the UK.
In an opinion issued on 16th October 2019, the European Banking Authority (EBA) called for supervisory flexibility in terms of SCA enforcement in the EU, delaying the compliance deadline until 31st December 2020.
SCA and Direct Debit payments
What about Direct Debit payments and Strong Customer Authentication? Will they be subject to comply with the new SCA rules?
As Direct Debits are merchant initiated transactions (MIT), SCA will not apply. If you are considering making the switch to collecting payments via Direct Debit, now could be a great time to avoid any SCA related business headaches.
FastPay Ltd is a well-established Bacs approved Bureau and Bacs affiliate that empowers businesses across the UK to collect via Direct Debit. We are fully PSD2 compliant and uphold the highest standards of security and fraud prevention. We take our financial responsibilities incredibly seriously and work hard to provide secure Direct Debit solutions that make collecting payments easy – for you and your customers.
If you would like to know more about our services or request additional information, complete our quick contact form.
Alternatively, why not chat with one of our Direct Debit specialists by calling 0161 737 5290.