Strong Customer Authentication (SCA): What You Need to Know About the New Law

While PSD2 and its SCA provision only apply to companies doing business in Europe, it appears likely that the heightened security benchmark will take hold elsewhere.

European countries in 2021 are beginning to fully enforce a new regulation that requires an extra layer of authentication for payment card transactions.

The second Payment Services Directive (PSD2) and its Strong Customer Authentication (SCA) provision aim to improve the security of payment card transactions, primarily online payments. Adding Multi-Factor Authentication (MFA), such as Two-Factor Authentication (2FA), is a common method to satisfy the SCA requirement; buyers would be required to provide extra information to validate transactions.

While PSD2 and its SCA provision only apply to companies doing business in Europe, it appears likely that the heightened security benchmark will take hold elsewhere.

When the European Union passed its General Data Protection Regulation for consumer privacy and protections, companies who were not actually bound by its requirements adopted its provisions anyway. One reason is that companies wanted to provide the consumer protection that their competitors did. Another is that legislatures outside of Europe began drafting and implementing GDPR-like standards of their own.

Expect Strong Customer Authentication to become an expected feature for online payments, not just in Europe. Companies who do not do business in Europe and therefore aren’t bound by the European law are still likely to become bound to its standard in coming years when the marketplace and/or non-European governments adopt the measure.

It would be wise to become at least familiar with the Strong Customer Authentication provision of the second Payment Services Directive.

How Strong Customer Authentication Works

A customer is prompted by their bank to provide something the cardholder knows, something the cardholder has, or something the cardholder is.

With 2FA added to satisfy SCA, a customer is prompted by their bank to provide something the cardholder knows (like the answer to a security question), something the cardholder has (like a code sent to your phone), or something the cardholder is (like a biometric like a fingerprint scan) in order to authenticate the transaction.

Apple Pay and Google Pay are two payment methods that already support the extra authentication layer. European companies have relied on 3D Secure, an authentication method supported by most European payment cards.

Which Transactions Require Strong Customer Authentication

The law applies to customer-initiated payments, so most card payments and all bank transfers are included.

It’s worth repeating that the second Payment Services Directive is a European law and so the only transactions bound by its Strong Customer Authentication provision are those involving European banks. The law applies to customer-initiated payments, so most card payments and all bank transfers are included.

Contactless card payments (tapping the card at the terminal) are also subject to the law, although most in-person card payments are not.

Which Transactions Do Not Require Strong Customer Authentication

In-person card payments including card swipes and chip insertion are not affected by the SCA law.

In-person card payments including card swipes and chip insertion are not affected by the SCA law.

Payments that are considered low-risk also can be exempt. At checkout, the customer can request an exemption that the bank then issues or denies based on the amount of the transaction and its historical fraud risk. This way, common payments like a grocery order would or food delivery are largely exempt from the law.

Other payments that are exempt from the law under certain conditions include merchant-initiated transactions, corporate payments such as with a corporate payment card, phone transactions where payment card information is read over the phone, and subscriptions beyond the initial payment.

Summary

Consider implementing SCA as a way to boost consumer protections and provide a better buyer experience.

Strong Customer Authentication is a provision in Europe’s second Payment Services Directive. It requires an additional level of authentication for payment card transactions, primarily for online payments. The cardholder at checkout will be required to provide additional information to its bank to validate the transaction.

While the law applies only to transactions that involve a European bank, it appears the SCA standard is likely to take hold outside of Europe, as well, either by marketplace forces or similar laws coming onto the books in new locales.

For now, companies that do not do business in Europe can be aware of the law and consider implementing SCA of their own accord as a way to boost consumer protections and provide a better buyer experience.