Update 14th August 2019:
The FCA has agreed for the deadline for implementing SCA to be pushed back 18 months from the original date, to 14th March 2021. For more information read the press release on the FCA website.
Although the deadline to implement SCA has been delayed, SCA is still something you’ll need to update on your website. If your payment gateway supports SCA already, we recommend updating to use this now. Otherwise make sure you tackle SCA within the next year to ensure you’re prepared for the change.
Strong Customer Authentication (SCA) and PSD2
Strong Customer Authentication which is often abbreviated to SCA, is a new piece of European legislation which aims to reduce fraud and make online shopping safer and more secure for consumers and business owners taking payments online.
SCA is one part of the larger additions to EU Payments Services Directive (PSD2) that began in January 2018 and plans to improve customer rights, enhance security, and enable an open framework for third-party banking integrations.
What changes with SCA?
When SCA comes into effect on September 14, 2019 March 14, 2021 certain online payments will require enhanced authentication from a customer to prove that it is them who is making the payment.
Payments which trigger SCA will require two of the following three authentication methods to be proven for the payment to go through and be approved:
- Something only the customer knows (E.g. Pin number, secret answer)
- Something only the customer has in their possession (E.g. Phone, tablet, smart-device)
- Something only the customer is (E.g. Fingerprint, voiceprint, iris recognition)
The interface/experience in which this will be asked will, for the majority of the time, be very similar to the current 3D secure authentication which was part of the original EU Payments Services Directive (PSD).
When will SCA be triggered when paying online?
SCA will be considered for all payments initiated by the customer (or someone posing to be the customer) online, however there are exceptions which will mean SCA isn’t required on every payment.
There are certain exceptions to SCA which will mean SCA is bypassed when criteria are met. The following exceptions will often bypass SCA, however these can still require SCA:
- Payments deemed as ‘low risk’. The definition and process for determining this is down to the payment provider and gateway
- Payments below €30 (or GBP equivalent)
- Payments a customer has ‘whitelisted’ and approved payments for
Recurring payments will only trigger SCA on the first payment, subsequent payments will bypass SCA due to the fact they are not initiated by the customer.
What do I need to do get prepare for SCA?
Determine what gateways and providers you use
Firstly determine what gateways and providers you use for taking online payments.
What methods are implemented to take payments?
Are payments taken inside WordPress using a plugin? Are subscriptions taken through the site using a custom integration? Or maybe Donations are taken on the site through a third-party payment service?
Figuring out what methods you take payments with will provide you with the information to know who to contact and who is responsible for maintaining your payment codebase.
Depending on the payment providers and gateways and your chosen method of implementation you will be able to determine how much work is required to ensure SCA is supported when it arrives.
The amount of work required to ensure you’re ready for SCA can range from nothing at all, to complete payment library re-writes.
What happens if I do nothing?
After the 14th September, 2019 14th March 2021 online payments are likely to be rejected by the customer’s bank if the payment gateway in use is not ready for SCA.
What we’ve done at Studio 24
Here at Studio 24, we have undertaken a review of all of our client’s sites, the gateways they use, the payment providers which process the payments, and we will be contacting all of our customers with guidance on next steps.
Where can I find out more information?
The European Banking Authority have detailed information on the legislation if you’re looking to dive deep into the details: https://eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2
Otherwise, it’s good to look at your own payment gateway’s website to find out the information which relates to your use-case.