Beginning September 14, 2019, PSD2 regulation will require Strong Customer Authentication (SCA) for many online payments made by European customers, to help reduce fraud. To ensure payments will not be declined, businesses will need to build an extra layer of authentication into online card payments, unless transaction-specific exemptions apply.
The impact of SCA on your business can vary depending on the type of purchase, whether you charge a customer during or after checkout, and even which bank your customer uses.
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments once SCA goes into effect, you will need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.
SOMETHING THE CUSTOMER KNOWS
SOMETHING THE CUSTOMER HAS
SOMETHING THE CUSTOMER IS
Starting 14 September 2019, banks will decline payments that require SCA and don’t meet these criteria. (If you would like to read the original SCA requirements, they are set out in the Regulatory Technical Standards or RTS.)
When is Strong Customer Authentication required?
Strong Customer Authentication will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA. Recurring direct debits, on the other hand, are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.
For online card payments, these requirements will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). (We expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.)
If you’re based outside of Europe but a large portion of your sales are to European customers, your payments may also be impacted. While SCA is not legally required for businesses outside of Europe, we expect a small minority of European banks to require SCA for all payments regardless of where a business is located. We recommend all businesses with a high amount of European sales prepare for SCA to avoid transactions being declined.
What happens if an exemption fails?
While exemptions will be very useful, it’s important to remember that it’s ultimately the cardholder’s bank that will decide whether or not to accept an exemption. Banks will return new decline codes for payments that failed due to missing authentication. These payments will then have to be resubmitted to the customer with a request for Strong Customer Authentication.
If your business is impacted by SCA, we recommend preparing for a fallback in case an exemption is rejected and your customer needs to authenticate. This is particularly important if you charge your customers when they’re not actively in your checkout flow (when they are off-session) and your customer needs to return to your website or app to authenticate
The information on this page is for general guidance on your rights and responsibilities and is not legal advice. If you need more details on your rights or legal advice about what action to take, please contact an adviser or solicitor.