Strong Customer Authentication (SCA) is a regulatory standard for customer identity verification. It requires users to provide two forms of identity in order to authorise electronic payments and transactions.
It’s now in place in the UK and, like SEPA, is active across the majority of the European Economic Area (EEA). However, many businesses and customers are still unsure what SCA regulations mean for them. This article explains the requirements for Strong Customer Authentication and discusses the implications for electronic transactions in the UK.
Why was SCA introduced?
Unfortunately, just like payment security, digital crime and fraud techniques have become more sophisticated over the years. It’s now possible to hack passwords, and there are many other ways to illegally obtain people’s personal data online.
Strong Customer Authentication primarily aims to tackle card-not-present fraud, which costs businesses and consumers hundreds of millions of pounds per year. This type of fraud involves criminals using stolen credit card details, including billing address and CVV codes, to complete transactions online.
Without identification verification procedures, it’s easy for fraudsters to impersonate someone using their stolen card details. But, a couple of additional steps in the verification process can greatly reduce this type of fraud. That’s where SCA comes in. It helps prove that you’re the legitimate holder of a card when you pay.
Strong Customer Authentication was introduced as a mandatory requirement under the EU’s Payment Services Directive (PSD2) way back in 2015. Since then there have been a number of different deadlines for payment service providers to introduce SCA for all online and offline payments.
Following the UK’s exit from the EU, the UK carried over and implemented SCA legislation. It is now enforced by the Financial Conduct Authority. While there were a couple of delays due to COVID-19, SCA became mandatory as of 14 March 2022.
What is SCA?
The primary purpose of SCA is providing a reliable way to verify customer-initiated online payments, offline contactless payments and online banking transactions. It aims to prove that payments are being made by the real account holder.
The Payment Services Directive (PSD2) outlines how payment providers should achieve this using any two of the following three factors:
- Something that the cardholder “knows”, e.g. a password or a PIN
- Something that the cardholder “has”, e.g. a one-time passcode on a personal device like a smartphone
- Something that the cardholder “is”, e.g. biometric verification via fingerprint or facial identification
These requirements ensure that, outside of coercion, there’s no way for a criminal or fraudster to impersonate a cardholder when attempting a transaction.
According to FCA regulations, the Secure Customer Authentication requirements apply in the following circumstances:
- Whenever an electronic payment is initiated
- Whenever an individual accesses one of their payment accounts online
- Whenever an individual carries out any remote action that could imply a risk of payment fraud
These requirements cover most situations where card-not-present fraud can occur online. But the FCA does outline a few scenarios where it’s either impractical or inconvenient to require SCA:
- Low-value contactless transactions that total less than £100 (this limit has recently been increased from £45)*
- Recurring transactions of the same amount to the same business
- Transactions that have been deemed ‘low-risk’ by a real-time fraud prevention system
- Transactions to companies or individuals that have been listed as trusted beneficiaries by the cardholder
- When the transaction is carried out by a business, not a consumer, and processed via secured dedicated payment protocol
*Single contactless transactions under £100 are SCA exempt, but if a customer spends £300 within 5 consecutive contactless transactions, they will have to confirm their identity with their PIN.
All merchant-initiated transactions (MITs) are also SCA exempt. These are payments that the merchant makes on behalf of the customer by way of a prior agreement and they don’t require customer authorisation. Examples include subscription payments or instalment payments. Alongside MITs, charitable donations do not require SCA because they come with a low risk of fraud.
One increasingly popular payment method—virtual credit cards—is exempt from SCA in certain circumstances. Virtual cards that are used for B2B payments, i.e. employee expense cards that are issued by a business, do not require SCA because they provide a high level of security.
Virtual card payments are considered sufficiently secure because:
- The card details are temporary and set to expire after a short period of time
- They’re stored in a tokenized form within an encrypted digital wallet
- The cards details are linked to a business and not a specific employee
You can read more about the exemption for virtual credit cards on the European Banking Authority website.
Is SCA different from 2FA?
You may not have heard of SCA, but chances are you probably have heard of two-factor authentication (2FA). While they work on the same underlying principle, there are some notable differences between the two.
It has been proven that the go-to verification method for conventional 2FA, sending a one-time password via SMS, has some major vulnerabilities and is no longer considered secure. SCA provides better security through additional requirements. These help to stop man-in-the-middle attacks, where third parties are able to intercept and alter payment orders as they pass between the payer and the payee.
The additional security protocols for Secure Customer Authentication are:
- Secure execution environments: This involves using software, or hardware in some cases (payment terminals), to ensure that the authentication environment cannot be breached by a hacker. The sensitive information, such as a passcode or biometric ID, that’s used to authenticate a user’s identity should be isolated from the normal operating environment on the payment device. This is because many smartphones run on out-of-date operating systems with known vulnerabilities.
- Dynamic linking: Dynamic linking links the authorisation code directly to the transaction amount and the name of the payee. If any of this information is altered through a man-in-the-middle attack, the authorisation code is automatically invalidated. This transaction amount and identity of the payee are also shown to the payer before they approve the transaction. This allows users to visually confirm the details of a payment.
How do I comply with SCA regulations as a business?
The deadline for SCA compliance in the UK has already passed. SCA was gradually phased in before the deadline to ensure consumers and businesses were ready for the final transition. Following the 14 March 2022 deadline, any non-compliant online transactions are automatically declined.
As a smaller business owner, this deadline may have come and gone without you realising, or even knowing what SCA actually is. But fear not. It’s payment service providers who have to implement the necessary changes to conform to SCA regulations. Your payment terminal or online payments platform should have been updated automatically to require additional verification when needed.
SCA and customer shopping experience
The introduction of mandatory SCA is an essential piece of anti-payment fraud legislation for customers and businesses in the UK (and the EEA). But it comes with the downside of increased friction in the payment process. SCA methods for online payments vary from provider to provider. For example, some online banks may have in-app verification, while others use a redirect in the browser.
The more complex the process, even if it’s just having to switch between apps or wait for one-time passwords, the less convenient it is for users. This detracts from usability and a seamless payment experience.
Payment friction increases purchase abandonment, which can have a negative impact on sales and transaction volume. This is partly why there was widespread lobbying and objection to SCA when it was first proposed.
If customers are frustrated by the payment experience, they won’t buy as often, or they’ll go to a competitor who offers a better service. As a result, banks, payment service providers and vendors have invested heavily in integrating SCA as intuitively as possibly. The easier it is for customers to complete transactions, the better businesses will fare.
The industry standard SCA protocol is 3D Secure 2 (3DS2). It provides reliable multi-factor verification and places a strong emphasis on native mobile integration to reduce friction during the authorisation process.
Protecting your business and customers from fraud
While SCA is a huge improvement over old payment protocols, it’s essential that businesses follow standard security precautions to protect customer data. Many ecommerce businesses encourage customers to create accounts as part of the payment process. This helps them boost marketing efforts and customer loyalty, but it also requires customers to provide their personal data.
It’s ultimately your responsibility as a business to ensure that you store and process your customers’ data securely. You can carry the principles of SCA over to the account login process by requiring 2FA and OTPs when a customer logs in on a new device or from a new location.
Pay securely with Moss virtual cards
As we’ve seen with SCA, security around electronic payments is more important than ever. The majority of payment fraud targets consumer payments, but B2B payments are not immune. Fraudsters can still steal standard business credit card details if businesses use conventional, single issue cards. Employees can also misuse corporate cards if businesses don’t take proper precautions.
Moss corporate credit cards offer unrivalled security for business payments, by giving businesses full control over how their employees spend their cash. Moss customers can create an unlimited number of virtual credit cards with custom parameters to prevent unwanted spending. You can monitor and freeze cards from your phone using the Moss app, and add Moss cards to Apple Wallet so you can pay directly through Apple Pay.
Moss Insights provides detailed information about where your money is being spent. You can separate cashflows by department, payment category, and even individual employees.
SCA is a regulatory framework that aims to reduce electronic payment fraud and increase security for electronic transactions. It is currently active in the UK and the EEA.
SCA helps secure electronic transactions by requiring multi-factor authentication on every payment. Multi-factor authentication makes it much harder to complete payments unless you’re the legitimate holder of a card.
SCA is based upon the same underlying concept as 2FA, but it builds upon on it with more secure verification methods (biometric ID, in-app OTPs, etc.).
SCA exemptions are made for transactions that meet certain criteria. This includes merchant-initiated transactions and contactless transactions under £100, among others.
Virtual card payments are also exempt from SCA because they are deemed sufficiently secure without additional verification, thanks to tokenization and temporary card credentials.