Online purchases account for over half of all card-related fraud in the Single Euro Payments Area (SEPA), including 35 European nations. To safeguard consumers and European Economic Area (EEA) financial institutions against fraud and financial crime, the EEA established the SCA rules in 2019.
As mandated by the Revised Directive on Payment Services (PSD2) of the European Union, the SCA ensures that payment service providers inside the EEA use multi-factor authentication (MFA), as it further strengthens the security of electronic or online payments.
This article delves deeper into the various payment methods affected by Europe’s Strong Customer Authentication (SCA) mandates. Also, we will explain how SCA affects your company and what kinds of transactions are exempt or not covered.
What is Strong Customer Authentication (SCA)?
SCA is a European legislative requirement designed to combat cybercrime and increase the security of offline and online payments.
Financial institutions must implement additional authentication into the checkout process to authorize payments and comply with SCA laws. They must use two of the following three components for authentication in SCA:
- Something only the customer knows (the password or PIN);
- Something a client possesses (phone, computer);
- Identifiable features of the customer (facial or fingerprint recognition).
End-users can feel more at ease making online payments thanks to the additional protection provided by SCA. Previously, buyers just had to enter their payment information and finish the purchase. Customers will have a simpler time verifying their accounts, resulting in fewer cancellations.
Why Are PSD2 and SCA Important?
This new directive expands on three major provisions of the old 2007 directive. Some of these are:
- Enhanced protections for consumers while making financial transactions;
- Bringing the regulation of third-party access and account information into the fold creates fair competition;
- Enhanced security.
When we talk about security, we mean a specific set of guidelines called Strong Customer Authentication (SCA). Any company operating online in the EEA region must comply with these standards; if not, the effects will be far-reaching.
When did Strong Customer Authentication Take Effect?
On September 14, 2019, PSD2’s Strong Customer Authentication (SCA) requirements went into effect. Later, because of industry unreadiness, the European Banking Authority pushed the deadline to December 31, 2020. So far, all EEA member states have implemented mandatory PSD2 SCA compliance. The UK’s deadline for full implementation was March 14, 2022.
How Does Strong Customer Authentication Work?
The best way to implement Strong Customer Authentication for a payment system varies. In most cases, 3D Secure is a must when paying with a debit or credit card. Many regional payment options, including e-wallets, also provide their SCA-compliant authentication phase. Let’s look at the two major ones:
Most online card payments today use 3D Secure for authentication. Similarly, most cards in Europe adhere to this authentication standard. When using 3D Secure, the customer’s bank will probably ask for supplementary information after the customer has completed the checkout process. For example, a one-time code delivered to their phone or fingerprint authentication via their mobile banking application.
Currently, 3D Secure 2.0 is the most widely adopted approach for verifying the identities of cardholders making purchases online under SCA guidelines. This updated version improves the user experience and reduces the extra steps normally required for authentication throughout the purchasing process. With offline card transactions, a PIN entry will satisfy authentication requirements.
Digital Wallets and Regional Payment Options
There are currently payment processes with an integrated layer of authentication supported by other card-based payment systems like Google and Apple Pay (biometric or password). With these, stores can provide customers with a streamlined purchasing process without sacrificing compliance.
It’s also true that several widely used European payment systems, such as iDEAL, Bancontact, or Multibanco, will conform to the SCA requirements without substantially affecting the user experience.
What Situation Calls for Strong Customer Authentication?
Any transaction deemed to be “consumer-initiated” (CIT) calls for strong customer authentication. It will apply to both online and bank transfers. SCA is unnecessary when a transaction is “merchant initiated,” (MIT) as with recurrent debits.
So, the SCA is mandatory for online European payments when both the merchant and cardholder’s bank are within Europe. Also, any online payments made within the European Economic Area (EEA), the United Kingdom, or Morocco must be SCA compliant. That’s why online shoppers must complete an additional level of authentication during the checkout process.
Exceptions to the SCA
Exemptions from the SCA should maintain a smooth user experience for certain types of transactions. Transactions that are outside of PSD2’s limits do not require SCA. Listed below are the most notable exempt or out-of-scope transactions.
An SCA exception applies in certain circumstances. The retailer will inquire with the bank or credit card company about the exemption as part of the payment processing.
The level of risk involved allows the retailer to determine whether the purchase falls outside the mandate of the SCA. If so, it won’t need to go through the second authentication step.
In some scenarios, this may be preferable, given that SCA authentication standards may increase user friction and the likelihood that customers may abandon their purchases.
Here are some typical cases where the SCA rules don’t apply:
A payment processor may do a real-time risk assessment when deciding whether to apply SCA to a transaction. For this to be possible, the overall fraud rates for card payments at the payment provider or bank must be below the following limits:
|Exception Value Threshold (Euros)||Card-Based Payments|
When necessary, they will adjust these cutoffs to reflect the current value in the local currency. It’s reasonable to assume that the cardholder’s bank will deny the exemption and insist on authentication. That’s if the payment provider’s fraud rate is lower than the threshold, but the cardholder’s bank’s rate is higher.
If the total of all charges on a single card is less than 30 Euros or if any one purchase is less than 100 Euros, no SCA is necessary. To clarify, this means that transfers of less than 30 Euros do not require verification, but the issuing bank will note how often this exception applies. If the sum of the payments is over 100 Euros, or if there are over five separate payments, it will request the buyer to complete an SCA.
After the first transaction that satisfies the SCA standards, subsequent transactions of the same type and amount are exempt. Since these are ongoing, they are “merchant-initiated” transactions and, therefore, exempt from the SCA.
Customers can “whitelist” a trusted merchant during the payment authentication process so that they don’t have to provide authentication for future purchases with that merchant. The customer’s bank or payment service provider will add these companies to a list of “trusted beneficiaries.”
Businesses can avoid SCA by conducting transactions with one another using a payment method designed explicitly for B2B transactions. As we have established, the SCA does not apply to “merchant-initiated” transactions in which the customer is not directly involved.
The same goes for phone and mail orders, as they aren’t electronic transactions and hence fall beyond the limits of the SCA. Also, outside the bounds of the SCA is any card issuer or cardholder not in the European Economic Area (EEA), Monaco, or the United Kingdom.
Out-Of-Scope SCA Transactions
In particular, there are four kinds of transactions that are not covered.
Merchant Initiated Transactions (MITs)
The term “merchant-initiated transaction” (MIT) refers to a transaction in which the merchant initiates it instead of the client. With the customer’s permission, it automatically deducts the payment from their stored card details on the due date.
For example, some items, like water, have variable costs based on usage. Anytime a customer uses the card for the first time, whether as part of a purchase or to save payment information, authentication is a requirement. Yet if designated as a “Merchant Initiated Transaction,” the subsequent payments can bypass SCA.
Mail Order/Telephone Order (MOTO)
It refers to sales made by mail or phone to MOTO sales. SCA does not apply to MOTO transactions conducted entirely through mail or telephone. Payments made by mail or telephone order are not part of it since SCA do not regard them to be “electronic.”
Specifically, this term refers to deals in which the issuer or buyer is outside the European Economic Area. SCA sees these kinds of transactions as being outside of the scope. It means European companies are free to accept payments from customers outside of Europe without meeting the standards set forth by the PSD2 SCA.
If a customer pays through an anonymous way (such as a gift card), they are exempt from completing SCA.
There are a lot of other exceptions and out-of-scope situations, and how the bank, plan, and regulations interpret them will vary widely. The technical and regulatory standards for SCA under PSD2 contain the list of all the exemptions.
When you use the Solidgate payment processing platform, our team takes compliance off your shoulders, as Solidgate is fully certified for standards such as PSD2 and PCI-DSS. What is more, Transaction Risk Analysis (TRA) exemption allows for certain transactions to be exempted from SCA, provided that a robust risk analysis is performed, and the merchant meets specific fraud thresholds.
What Will Happen if You’re not SCA Compliant?
The bank associated with the cardholder will reject any transactions that do not comply. If this happens, it could cost your company a lot of money, mainly if you rely on online payments for most or all of your income. If a company cannot meet the SCA standards, the FCA says it will take full supervisory and enforcement measures against the company.
The good news is you don’t have to view this as a threat to your company but rather as an opportunity. If you prepare for SCA now, you can have an advantage over inadequately prepared rivals later.