What's inside?

This is some text inside of a div block.

An introduction to Strong Customer Authentication

Last updated April 2022.

The road to Strong Customer Authentication.

In 1979, something monumental occurred when Visa introduced a point-of-sale terminal to merchants. For the first time, consumers could choose to spend directly from their bank accounts via a single plastic card rather than being limited to the cash in their wallet.

A tremendous shift in the way merchants and consumers could exchange goods and services, this card payment experience would remain virtually unchanged for the next quarter of a century.

Then in 2006, Chip & PIN was formally adopted to combat fraud on lost, stolen and counterfeit cards. From 14 February, all card transactions would require customers to enter their PIN at the checkout.

Described as the “largest change in the way we pay since decimalisation”, Chip & PIN marked the end of the customer signature and sparked a rapid succession of digital payment innovations. In 2007, the first contactless credit cards were issued by Barclaycard in the UK. Contactless debit cards would follow just two years later.

Ahead of its time, contactless would not take off as a serious payment method in the UK until 2012, when NFC technology became more readily available to merchants. Apple Pay, Samsung Pay and Google Pay would then arrive in quick succession over the next three years.

It legitimised contactless and mobile payments in the eyes of merchants and consumers alike, as well as helping tosolve the experience gap between in-store and online shopping, these innovations confirmed the now unrivalled position of digital payments.

However, this shift towards a more convenient and frictionless payment experience, where consent and acceptance became an instant tap or click, inevitably created more risk and fraud potential, both for merchants and their customers.

Identifying the accelerating changes to how digital payments are now made and accepted, in 2013 the European Commission sought to reinforce payment security and consumer protection, part of an initiative that would come to be known as Payment Services Directive Two (PSD2).

Born out of PSD2, the term Strong Customer Authentication (SCA) came to everyone’s attention. In short, SCA is a new set of legal payment requirements that consist of additional security steps that need to take place when a customer makes certain purchases.

SCA affects virtually every EU merchant selling online. The EU and the UK's Financial Conduct Authority (FCA) requires relevant businesses to have a fully compliant SCA strategy in place.

This guide will take you through everything you need to know about SCA, how could affect your business, the steps you may need to take, and what Judopay can do to help ensure you have a fully compliant strategy in place.

What is SCA?

Strong Customer Authentication (SCA) is an EU and UK legal requirement for online payments.

As consumers purchase more goods and services online, the need to authenticate identity during transactions has become essential in making payments more secure and reducing cases of fraud.

In the past, shoppers were only required to enter their financial details to complete an online purchase. SCA regulation requires merchants to include an extra layer of security when their customers make an online payment.

The FCA has been working with the industry to put in place stronger means of ensuring thatanyone seeking to make payments is not a fraudster. While these measures will reduce fraud,we also want to make sure that they won’t cause material disruption to consumersthemselves; so we have agreed a phased plan for their timely introduction. Small Businesses.

How does SCA work?

In 2022, SCA became mandatory for most online UK transactions (excluding SCA exemptions) and became mandatory across most of Europe in December 2020. Many consumers will still experience a standard payment flow. But, if an Issuer challenges the transaction (i.e. requires more data to confirm the cardholder is the person making the transaction) the consumer will be asked to provide a combination of two of the following authentication factors:

Something you are.
(e.g. fingerprint, face recognition, voice pattern)

Something you know.
(e.g. PIN, password, passphrase, secret fact, sequence)

Something you have.
(e.g. card, smartphone, wearable device)

Your customers and SCA.

Many of your customers will already be familiar with two-factor authentication (even if they don’t know the terminology).

As an example:

When a customer is asked to enter a one-time code sent to their smartphone (something they HAVE) after they’ve entered their password (something they KNOW) to access online banking.

Merchants should focus on implementing 3DS2 now to allow time to test, tweak and test again before the SCA deadline. IMRG.

Are there any exemptions to SCA?

Yes, all merchants taking online payments need to comply with SCA, but there are exemptions that will apply to some businesses:

  • Low-value payments under £45 (or €50).
    This follows a decision to increase the contactless limit from £30 as a response to COVID-19(since 1 April 2020).
    This exemption takes place until a customer makes more than five exempt payments in a row,although this may change as a result of increasing the contactless limit.
  • 'Whitelisted' eCommerce Websites.
    Customers will be able to select online shopping sites they trust and regularly use, whichmeans SCA will only be required when they make a first purchase.
  • Recurring Payments / Merchant-Initiated Transactions (MIT).
    i.e. If your customer takes out a subscription they will only need to prove their identity whenthey first sign up to your service.
  • Mail Orders and Telephone Orders (MOTO).
    All transactions that take place via mail or telephone are exempt, as they are not classed as‘electronic’ payments.
  • Low Risk Payments / Transaction Risk Analysis (TRA).
    Certain transactions can be exempt from SCA, provided they are considered low risk andbelow target fraud thresholds. This must identify unusual changes to a customer’s behaviourand work in real-time to ensure a seamless checkout process.
    Checks can include transaction history, location at the time of payment and previous use of acustomer’s payment device. You can find out more about how TRA works from your paymentservice provider.
  • Direct Debits.
    e.g. Monthly bills.

What impact does SCA & 3DS2 have on your business?

  1. Ensure your 3D Secure protocol is up-to-date.
    3DS2 (an updated version of 3DS1) has replaced passwords and PINS with tokeniSed, biometric and two-factor authentication to help reduce friction during the online payment process, whilst being fully SCA compliant. As with all things tech and payments this will continue to evolve and update - right now, the updates are mostly optimisations with most payment providers readying for the upgrade to 3DS 2.3.
  2. Your payment flow is smoother for customers.
    While 3DS2's predecessor, 3DS1, created multiple friction points, like pop-ups, redirects, password requirements etc, 3DS2 makes it more likely that customers will be able to automatically authenticate their identity without challenge during the online payment process.
  3. Fraud liability shifted from merchant to Issuer / cardholder (in most cases).
    Unless an exemption has been applied, merchants have liability shift for fraudulent transactions made using 3DS2. Where merchants would usually refund losses incurred by fraud, 3DS2 enables issuing banks to better authenticate the identity of customers during online transactions, reducing fraud disputes and, therefore, lowering the costs associated with chargebacks. *Note: The 3DS2 liability shift only takes place if two-factor authentication was successful at the online checkout, and a chargeback due to fraud then took place. If two-factor authentication fails or an error occurs, chargeback liability remains with the merchant.

What is 3DS2 and how does it work?

While SCA is the legal requirement, 3DS2 is an SCA compliant authentication service. 3DS2 is what adds an extra layer of security to the payment flow to make them SCA compliant. In most cases this will remain a seamless experience, but if the Issuer isn’t completely satisfied that the real cardholder is the one making the purchase, they’ll ask for some additional input to authenticate the transaction.

1. Customer initiates the payment.

Customer enters their card details on your checkout page to start the payment.

2. Authentication check.

Judopay’s 3DS2 solution checks if authentication isrequired. Depending on the issuer’s requirements, we’ll share data such as shipping address, customer location or device ID to assure them that the real cardholder is making the purchase.

Option 1: If the issuer is satisfied they’ll authenticate the payment.

Option 2: If the issuer isn’t satisfied with the ID and risk credentials, the customer will be asked for some additional input to authorise the payment (something they KNOW, HAVE, ARE).

3. Payment authorised.

Once the issuer is satisfied that the real cardholder is the one making the payment, the payment can be completed.

Judo logo
Trustpilot

Our solution

Online paymentsFraud protectionReporting tools

Company

AboutCustomersPartnersCareersBlogPress

Developers

DocumentationDeveloper hubChangelogAPI referenceStatus pageComms archive

© Judopay 2024. All rights reserved.

Alternative Payments Limited (Company Number 07959933) t/a Judopay is wholly owned by Fabrick S.p.A., part of the Banca Sella Group.

Service agreementCertificatesLegal hubPrivacy policy
Terms & conditionsPrivacy notice for job applicantsCookie Policy
Great Place to Work logoCrown Commercial Service Supplier Logo