What is Strong Customer Authentication?
Strong customer authentication or SCA is a new regulatory requirement that forms part of the wider European PSD2 regulation. With its introduction, European customers will be required to provide more information when purchasing goods or services online. Currently all that is required is a customer’s card number, CVC digits and at times a 3D secure code or similar. SCA will mean further levels of authentication are needed at the time of payment.
A key concept of SCA is two-factor authentication which requires a second level of authentication before a transaction is approved. While many card issuers have implemented a form of two-factor authentication,(for example 3D secure, which requires a password to be entered on a separate webpage after card details have been entered), SCA will require banks to replace the current methods of two-factor authentication and ensure higher levels of security.
The current authentication flow offered by most banks involves a web redirect which provides a poor user experience and is prone to phishing attacks. Under SCA requirements, the updated authentication flow should include the least amount of additional steps and alternative flows have been suggested that involve either embedded, de-coupled or app-to-app redirect instead of traditional web redirect. SCA will also necessitate that two of the following are provided for a transaction to be authenticated:
- Something you know e.g. a password, PIN or personal fact
- Something you own e.g. mobile phone, wearable or token
- Something you are e.g. fingerprint, facial features or voice patterns
Exemptions to SCA
Not all transactions will be required to adhere to SCA regulation. Low value and low risk transactions will be exempt from introducing SCA processes. For example, any transaction under €30 will not require SCA, nor will transactions where the average number of fraudulent cases is particularly low. Recurring payments or subscriptions will also be exempt after the first payment.
Customers will have the option to whitelist certain providers as well, meaning they will not have to provide SCA for every transaction they complete with a whitelisted vendor.
The good and bad of SCA
For merchants the main benefits of introducing SCA are reduced fraud, increased trust amongst customers, smoother processes for customers and more payment options available. In general, it should promote safer online payments and lead to more ecommerce transactions being fulfilled.
However, there are fears that initially SCA will lead to high level of trolley abandonment and payment drop-off. Merchants need to introduce efficient systems to meet the new requirements and manage customers expectations of the payment process to reduce payment drop-off.
When does SCA come into effect?
When the initial plans for SCA were announced, a date for required introduction was set for the 14th of September 2019. However, there was a lack of readiness amongst many payment providers, banks and e-commerce businesses. In a surprise turn of events the European Banking Authority has allowed national regulators to grant an 18-month extension, giving those not ready for the September date time to get on top of SCA. The new date for European-wide implementation will be March 2021.