SCA is Go! Are You Ready?
Updated: Oct 23
Brexit is fun isn’t it. The in or out, remain or leave, truth or lies. It impacts on our lives, whether we like it or not. Whatever the future holds (we’re writing this on 9th October 2020) at the moment, we’re still part of the European Union (just).
Back in 14th September 2019, a new requirement as part of PSD2 (EU Payments Services Directive) in Europe came into effect.
In the UK however, the Financial Conduct Authority (FCA) has agreed to a phased roll-out plan to move the UK to full compliance by 14th March 2021, but what is it and are we ready for it? Good question. Let’s take a look. (SPOILER ALERT - We are.)
WHAT IS SCA?
SCA, or Strong Customer Authentication, is designed to make online payments more secure. If you sell products or services on your website, then it’s something you need to know about.
The new regulations are a new way to verify your customers’ identity for purchases over €30 (or equivalent). It means customers will no longer be able to checkout online using just their credit or debit card details, they will also need to provide an additional form of identification.
So far, so good. The bonus for a business is that it may help protect you from liability that comes from fraudulent payments.
Why does that matter? Well in 2018 alone, online payments fraud cost businesses more than £15.2 BILLION and by 2022, the number is expected to rise to almost £90 BILLION!
HOW DOES SCA WORK?
For customers that are using credit cards that have been issued in the EEA (European Economic Area), they will see still be able to checkout as normal, but as part of these new regulations, they will also have to complete an extra authentication step during the checkout process.
If they are on a web browser, there may be a pop-up that appears or a push notification if they are using a banking app on a phone or tablet. The authentication process is dependant on their bank, so small differences may be seen, but the end result is the same.
There are a few exceptions. These are:
Low Risk (or Transaction Risk Assessment aka TRA)
This exemption has arguably the widest reach and usage.
If a transaction, through a real-time risk assessment, is deemed to be low risk, an exemption could apply. However, it comes with the most complex set of conditions (of course it does).
To make this work, merchants have to rely on a PSP (Payment Service Provider (e.g. an acquirer) to act upon their request. In addition, the test to trigger the exemption rests with whether the PSP satisfies the prescribed conditions, not the merchants themselves.
This means that, to an extent, a merchant’s ability to design and influence the payment experience is removed.
While exemptions are acquirer performance based, the issuer retains the final authorisation decision as they do today.
Low Value (for item that are €30 and under)
That said, if the customer initiates more than 5 consecutive low value payments, or if the total payments value exceed €100, then SCA WILL be required.
Recurring Payments (like membership fees or subscriptions)
Whitelisting (or Trusted beneficiary)
Customers will have the option to ‘whitelist’ a merchant they trust. They can request to have the trusted merchant be added to their record with the issuers after the first authentication is completed.
Subsequent transactions with the whitelisted merchants are likely to be exempt from future authentication.
It is worth noting that issuers (the credit or debit card issuer) can still reject this request if the customer is thought to be a high fraud risk. They will be able to ignore the whitelist (maintained by the issuer on the behalf of the customer) to challenge and request an authentication.
Secured Corporate Payments
When the transaction is initiated by a legal person (e.g. a business) rather than a consumer, and it is processed through a secured dedicated payment protocol, then it does not require separate authentication, provided alternative controls are sufficiently secure. This should include ‘secure virtual payments’, such as virtual cards or B2B cards.
WHAT DO YOU NEED TO DO? If you have a CubeSquared Digital website, then you don’t need to do anything. Our platform has complied since the regulations came into play, so you’re ready to go without lifting a finger. You’re welcome ;-)