Payment security is kind of a big thing, right? Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.
It will not apply to cash payments or when a customer uses their card at a POS terminal as these are already secured by entering a PIN number. The new SCA regulation aims to bring that same level of security to online payments. First agreed back in 2015, businesses within the EU have until the 14th September 2019 to comply.
From mid September, to continue to accept payments online, you will need to add methods of authentication to your checkout flow so customers can prove who they say they are before they can initiate a transaction.
What payments require SCA?
With online payments, there are two categories; A Customer-Initiated Transaction or a Merchant Initiated Transaction (MIT).
Customer-Initiated Transaction: When the customer is present when making the electronic online payment. For instance, entering card details for a one-time purchase from an online shop. SCA rules apply to all customer-initiated transactions.
Merchant Initiated Transaction (MIT): Where a business processes a payment using previously stored details – and without the cardholder’s participation. For instance, if the same company bills customers the same amount on the same regular date (e.g. for subscriptions).
In the event that your business uses recurring billing for a fixed amount, SCA should only apply to the first payment and may not be needed for subsequent transactions. It will ultimately be up to the bank to decide whether authentication is needed for the transaction. However, if the amount being charged changes, then the SCA procedure will be needed for each payment.
If you use GoCardless, they use paperless Direct Debit mandates (which fall outside of the scope of SCA), so you will not need to implement any additional authorisation methods.
Are there exemptions?
Yes – If any of the following apply, you can apply for an exemption.
- Contactless Payments at POS
- Card payments over the phone – sometimes known as “Mail Order and Telephone Orders”
- Low value transactions (under €30 until a cumulative total of €150 is reached)
- Recurring transactions – Payments initiated by merchants for the same amount and on the same regular date are exempt – (eg subscriptions) where the price paid does not vary. (Recurring Merchant-Initiated Transactions where the payment amount varies such as utility bills will need to trigger an SCA procedure).
Even though you may qualify for exemption, it will still be up to the bank to decide whether to accept or reject transactions. In the event that a transaction is declined by the bank, the payment will need to be resubmitted to the customer with a request for SCA – so you still need to prepare for it.
So whilst getting to grips with complying with the new EU Payments Service Directive might be frustrating, it will ultimately make the way we pay for goods online more secure.
There is no need to panic as the major payment gateways (Paypal, Sagepay Worldpay, and Stripe to name a few) will have updates available in order to meet SCA regulations and in most cases this will mean a simple update being implemented within your site.
If you are one of our existing e-commerce customers we will be contacting you shortly to make sure your payment gateways are updated and ready for SCA.