6 minute read

Strong Customer Authentication (SCA) is live across Europe: Are you ready for the UK deadline?

Thursday, March 25, 2021

6 minute read

2020 was a year like no other. With many businesses adapting to a continually changing trading environment, being able to accept payments confidently and with minimal friction is more important than ever.

This is why businesses must prepare for the upcoming UK enforcement of SCA as part of the Payment Services Directive 2 (PSD2) regulation.

SCA will help protect payments across many commerce channels and specifically expands the requirements for electronic payments. It provides significant benefits to businesses:

  • Reduces fraud losses by better filtering out fraudulent transactions and shifts fraud liability from the merchant to the issuer when compliance is met.
  • Increases approvals when issuers and merchants have greater confidence in the authentication of their cardholders.
  • Improves the checkout experience for customers with 3D Secure 2 technology embedded directly into the purchase flow, authenticating customers without having to redirect them to a third party.

From 1 January 2021, this regulation came into effect across European Economic Area (EEA) markets.

With disruption caused by the current COVID-19 pandemic, national banking authorities across the EEA implemented 'Ramp Up Plans', allowing gradual enforcement of SCA over time. This has given some grace, but not for long.

For the UK, the enforcement date is set to 14 March 2022. To encourage compliance in advance of the deadline, issuers will randomly check appropriate transactions for SCA compliance from 1 June 2021.

This means transactions selected for SCA checks that are not authenticated will be declined, potentially impacting your ability to accept payments.

So, what does SCA mean?

With digital and online payments continuing to grow, so does the risk of fraud. SCA intends to combat this risk by providing a more secure trading environment for businesses and their customers.

To do so, a transaction must meet two out of three authentication measures, commonly referred to as multi-factor authentication, from the following categories:

  • Biometric—such as a fingerprint or voice recognition.
  • Knowledge—something like a unique passphrase or identification number.
  • Possess—uses the mobile device registered with the issuing bank or a hardware token.

Businesses attempting to process transactions that have not been successfully authenticated after the enforcement date will start to see declines from issuing banks.

Not only will this negatively impact your customers' experience, it could also drive additional purchase abandonment.

What needs to be done?

The deadline for enforcement is fast approaching. The following steps will help you avoid any negative impacts of missing the deadline:

1. Review your approach to payments

SCA covers both customer present and not present payment scenarios. Complete a check of how you're currently accepting payments and through which channels to ensure you're meeting new compliance requirements.

There are a number of scenarios such as Merchant Initiated Transactions (MIT) and Mail Order / Telephone Order (MOTO) which fall out of scope from SCA. Although these do not require SCA, it's important to configure these payment requests correctly to avoid unnecessary declines and mitigate risk fraud.

2. Check your ecommerce implementation

Ecommerce transactions will largely be impacted by SCA. With exponential growth in online payments, especially mobile and app-based transactions, delivering the right authentication experience can deliver strong conversion rates.

For Customer Initiated Transactions (CIT), implement 3DS v2.2 which is the latest version to manage customer authentications as part of your payment journey.

Although 3DS v1 meets the minimum requirements for SCA compliance, 3DS v2.2 provides better user experiences for authentication (especially for mobile commerce), richer data sets for issuers to make an authentication decision and enables the use of exemptions as outlined within the SCA regulations.

These linked together give you the best chance to remove friction from your customers' payment journey and maximise authorisation rates.

3. Check your hardware for face-to-face transactions

If you rent your terminal(s) from Global Payments, we'll implement any hardware updates to ensure SCA compliance. You'll need to check if your hardware is up to date if you rent or own equipment from a third-party vendor.

4. Keep your staff and customers informed

Whether you take payments face to face, over the phone or online, be sure to keep your staff and customers informed of changes to payment regulations.

Most customers are familiar with contactless transactions. Issuers may require chip-and-pin authentication in situations where your customer exceeds a certain number of contactless transactions or reaches a certain spend threshold without prior authentication. This will all be tracked by the cardholder's issuer, so you don't have to make any changes.

It's important to reassure your customer that when chip-and-pin authentication is required for contactless transactions, extra checks are being completed for their protection.

Similarly for ecommerce transactions, flagging authentication requirements reassures customers that extra steps are being taken to protect their online purchase.

We're here to help

Navigating payment regulations can be challenging and we're here to help. Our SCA help centre provides more information to become SCA complaint across all the different ways to accept payments from your customers.

Looking for a quick and easy SCA guide to keep handy? Our SCA infographic can be found here.