What is the new Strong Customer Authentication (SCA) regulation?

What is the new Strong Customer Authentication (SCA) regulation?

Up to speed on the SCA regulation? If not, you may want to pay close attention. Following the introduction of the GDPR, which had a huge impact on the handling of personal data last year, Europe geared up for another major shake up – this time in the payment sectors.


The Strong Customer Authentication (SCA) regulation was introduced in Europe in the fall of 2019, effective September 14th 2019.

What is Strong Customer Authentication (SCA)?

The SCA regulation is part of the revised Payment Services Directive (PSD2) and will install new requirements for authenticating online payments. While this new regulation will put direct liability on payment service providers, SCA will also affect SaaS and internet companies (i.e. online retailers, B2C ecommerce, webshops) that handle daily online transactions as they must be SCA compliant as well.

Mopinion: What is the new Strong Customer Authentication (SCA) regulation? - Fraud
Source: National Bank

According to SiliconCanals, ‘European internet commerce is expected to grow $1 trillion by 2022, and online fraud with it. The European Central Bank now estimates around €1.3 billion in online fraud on European cards each year’. This new European regulation will minimise fraud and create a more secure environment for online payments.

Should businesses fail to prepare for SCA, the consequences can be quite costly. For example, businesses will likely experience failed transactions and increased friction – both of which will lead to reduced online conversions.

When will SCA be required?

SCA will apply to online payments that are ‘customer-initiated’, meaning almost all card payments and bank transfers will require SCA. Any recurring payments that are considered ‘merchant-initiated’ (i.e. direct debit payments) or payments carried out in person with a card will not require SCA compliance.

What will change in payment processes?

Once SCA goes into effect, companies will need to incorporate extra authentication into their checkout processes. This authentication must include two of the following elements (otherwise known as the two factor authentication):

  • Knowledge: Something the Customer KNOWS, i.e. password, secret fact, pin, etc.
  • Possession: Something the Customer OWNS, i.e. mobile phone, smart card, token, etc.
  • Inherence: Something the Customer IS, i.e. fingerprint, voice patterns, facial features, etc.

If you do not have this authentication in place, credit and debit card issues will likely decline the transaction entirely, and your organisation.

Mopinion: What is the new Strong Customer Authentication (SCA) regulation? - Fingerprint

How do I authenticate payments?

The most common way of authenticating these online payments is via 3D Secure. This is an authentication standard that most European cards are supported by. This year, a new version of this standard is being rolled out – 3D Secure 2, which will serve as the main method for meeting the new SCA requirements.

What can I do to get ready?

Keep in mind that SCA is no less complex than GDPR, so it’s important to make sure you are prepared and ready for SCA on time! Need more specifics?

Mopinion: What is the new Strong Customer Authentication (SCA) regulation? - 3D secure 2
Source: Visa

Here are a couple of items that should be on your checklist:

1. Reduce friction in checkout process with appropriate payment method. Incorporate a maximum optionality into your checkout experience so that the most relevant payment method (SCA compliant) surfaces depending on the context.

2. Optimise when SCA is needed. There are cases, i.e. if the purchase is under 30 euros, or for recurring payments, in which you won’t necessarily be required to apply SCA. In the event of recurring payments, one solution is to allow customers to whitelist your business with their bank so that future purchases do not require payment authentication. There are also instances in which transactions are exempt from SCA, called Low-Risk transactions. Check with your payment provider about this. Stripe, for example, has provided and clear cut overview of how this works with their service.

3. Employ 3D Secure 2 standard. This new authentication standard improves the purchase experience and is necessary if you want to be in compliance with SCA.


Are you SCA ready?

Everything there is to know about PSD2 is still under consideration. But don’t wait too long to get your business in compliance! Start preparing now to ensure smooth execution come September!