Strong Customer Authentication (SCA)
What is SCA
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online and contactless offline payments more secure. To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements:
- Knowledge (-Something the user knows. For example, password or PIN).
- Possession (-Something only the user possesses. For example, phone or hardware token).
- Inherence (-Something the user is. For example, fingerprint or face recognition).
(To find out more on the original SCA requirements, consult the Regulatory Technical Standards (RTS).
Banks will need to start declining payments that require SCA and don’t meet these criteria. Although the regulation was introduced on 14 September 2019, we expect these requirements to be enforced by regulators over the course of 2020 and 2021.
When is SCA required
Strong Customer Authentication applies to “customer-initiated” online and contactless offline payments within Europe. As a result, most card payments and all bank transfers require SCA. Recurring direct debits on the other hand are considered “merchant-initiated” and don’t require strong authentication.
For online card payments, these requirements apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA).
What are SCA exemptions
Under this new regulation, specific types of low-risk payments may be exempted from Strong Customer Authentication. Payment providers are able to request these exemptions when processing the payment. The cardholder’s bank will then receive the request, assess the risk level of the transaction, and ultimately decide whether to approve the exemption or whether authentication is still necessary.
SCA exemptions scenarios
1. Low value payments
Transactions under €30 and cumulative payments higher than €100 on the same card.
Transactions under €30 EUR are exempt from SCA. But the issuing bank will keep track of how many payments are made using this exemption.
SCA is required if the total amount attempted on the card is higher than €100 EUR, and every five transactions.
2. Acquirer Transaction Risk Analysis
Transaction Risk Analysis, as outlined by the Regulatory Technical Standard (RTS), looks at risk scores and other account risk factors to confirm that no abnormal spending or behavioral patterns of the payer have been identified.
Under PSD2 SCA, TRA exemptions can be applied at either the acquiring or issuing side of the transaction.
3. Trusted beneficiary exemption
Certain trusted merchants chosen by the cardholder
Customers can assign businesses to a whitelist of ‘Trusted Beneficiaries’. This list is maintained by their bank. Whitelisted merchants, whatever the transaction amount, can be exempt from SCA.
This lets regular customers mostly skip SCA with the businesses they've chosen to whitelist.
4. Secure Corporate Payment (SCP) exemption
Payments between corporations
Payments made between two corporations can be exempt from SCA. But, this is only possible when the payment method is a payment instrument dedicated to make such B2B payments.
5. Merchant Initiated Transaction (For Mastercard only)
Transactions without direct customer involvement
Merchant initiated transactions (MITs) are transactions that don't directly involve the customer. The payment is taken from a saved card with the customer’s prior consent on an arranged date.
For example, some products have a variable cost based on usage, like energy contracts. The first payment, or the first time the card is saved, always needs to be authenticated. But the following payments can skip SCA if marked as a 'Merchant Initiated Transaction'.
Recurring transactions are only an exemption for Mastercard. Visa does not accept this use case as an exemption but sees it as out of scope of PSD2 and hence out of scope for SCA, so authentication will not be required. For MITs (CHARGE), CIT (SIGNUP) needs to be performed in advance, with appropriate SCA, to establish the initial agreement with the cardholder. This CIT (SIGNUP)may be a zero-value transaction.
6. SCA Delegation
In the traditional payment flow, authentication is carried out by the issuer. Delegated authentication means that the merchant can directly authenticate the customer, skipping the redirection to the issuer and facilitating the 'one-click purchase' experience.