Strong Customer Authentication (SCA) rules: what is expected from e-commerce platforms?

The Second Payment Services Directive, also known as PSD2, regulates payment services throughout the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK). Among the Directive’s main objectives are a safer and more innovative framework for payment services and a higher level of consumer protection.

One of the key provisions introduced by PSD2 was a set of security requirements for electronic payment processing, which includes the so-called “strong customer authentication” (SCA). SCA rules have a significant impact on the lives of online businesses and consumers.

What is Strong Customer Authentication (SCA)?

SCA is a requirement outlined in the PSD2 to make electronic payments safer. It’s a process designed to authenticate the user’s identity as part of the payment transaction.

In other words, SCA requires that customers prove their identity before proceeding with online payment. SCA rules were implemented to mitigate the risk of fraud and protect customers’ funds and personal data.

Who falls under SCA rules?

SCA rules affect the EU, EEA and the UK, so its scope is limited to online EU, EEA and UK payments. SCA rules were officially implemented in the EU in 2020 and in the UK in 2022.

If your online business offers services or products to those regions regions and both your company and the cardholder’s bank are within the EEA or UK, then it is likely that you are subject to SCA rules. Note, though, there are some exceptions. Below you can find more information where this is the case.

What is the SCA process, and what do online merchants need to do to comply with them?

Before processing electronic payments, e-commerce businesses (as well as payment service providers and other institutions) must take steps to verify if a potential or existing customer is who they claim to be.

Before SCA, payments were authenticated using just one identification component, such as a password. Now, businesses must use two of the following components for authentication:

• Knowledge (something only the customer knows) – a password, PIN, or a secret fact/answer.
• Possession (something only the customer has) – a mobile phone, card reader, smart watch, smart card, or other device evidenced by a one-time passcode.
• Inherence (something inherent to the customer) – fingerprints, facial recognition, voice patterns, DNA signatures, or iris format.

If your customers cannot provide at least two of the above elements, their payment will probably be declined by the card issuer or bank and the transaction will not be completed.

Note that although the relevant financial institution (e.g. your customer’s bank) is the one performing the SCA, your e-commerce business must be equipped to operate in an SCA environment. This involves, for example, communicating data when necessary, and requesting the relevant customer information so that the bank can complete the authentication process. Payment technologies can be added to your payment gateways to help with this and ensure that all legal and technical requirements are met.

Likewise, inform your customers in advance about required payment steps and walk them through the information they must provide (don’t ask for more information than is necessary).

What payment transactions are affected and what exceptions apply?

SCA applies to “customer-initiated” online and contactless offline payments, so most card payments and all bank transfers will require SCA.

Specific types of low-risk payments may be exempted. Exemptions include (but are not limited to), recurring direct debits, mail order/telephone order transactions, low-value payments (equal to or below €30), and transactions with trusted beneficiaries.

What if e-commerce businesses don’t implement SCA rules?

Recent data from Barclaycard Payments shows that UK retailers have lost out on £130m worth of sales due to not being fully compliant with SCA rules. And it’s not difficult to wonder why. Suppose a customer tries to buy a product on your platform, and the bank requests SCA-compliant authorisation. If your payment gateway does not support this, or if it does not request or transmit the necessary information to the bank or consumer, the transaction will not be completed.

A high number of declined transactions may give rise to loss of revenue, consumer complaints and reputational damage (as well as fines, depending on the situation). So, online businesses must adhere to SCA rules, or they will risk customer purchases being declined.

How can Logan and Partners help?

SCA obligations can have a big impact on online businesses, including SMEs. For more information on how we can help you, and what steps your business should take, please contact Isadora Werneck and schedule a free 20-minute consultation.