Strong Customer Authentication: Three Things Every Merchant Needs to Know

Alarm clock

With online fraud on the increase, companies must take action to make sure they meet the updated version of the Payment Services Directive, PSD2, which will mandate Strong Customer Authentication (SCA), later this year. Adam Bromage-Hughes, Technical Director at Encoded, takes a closer look at the directive and discusses why SCA is so important for companies and customers.

The first Payment Services Directive (2007) levelled the playing field for payment institutions in the EU. It increased competition and set out common payment standards that benefited both customers and participators in the industry. The later revised PSD2, introduced in 2015, has resulted in an even more integrated and efficient payments market, with the key addition of Strong Customer Authentication (SCA). Over the last five years SCA has helped to reduce online fraud by making payments safer and more secure for customers. The Financial Conduct Authority (FCA) has announced the deadline for implementing full SCA compliance for e-commerce transactions is now 14 March 2022. Any firm that fails to comply with the requirements will be subject to FCA supervisory and enforcement action.

What has changed and why is SCA so important now? Here are three important things to know:

1. SCA protects businesses and the customer from online fraud

Strong Customer Authentication (SCA), often referred to as multi-factor authentication, assures the card issuer and acquirer that the transaction is genuine. Now with non-cardholder present transactions (online) at least two criteria need to be met to confirm the customer’s identity, whether in the form of something they know, (PIN) have (card) or biometric (fingerprint or voice recognition).

SCA protects both the merchant/company and the customer. If a customer pays online for goods using an SCA process, but later claims it was a fraudulent transaction, the bank or card issuer accepts liability. Previously a fraudulent transaction meant that the merchant had to refund the money and incurred additional chargeback costs. With debit cards the merchant was even more vulnerable to fraud, as the money could only be credited back if there was still cash in the bank account.

The latest version of Visa’s 3-D Secure is an example of the SCA process, where customer details are used by the bank or card issuer to assess the risk of the transaction. More robust than the earlier version that simply required a password, the details are confirmed and then a one-time password or code is sent to the customer as authorisation. 3-D Secure (often referred to as ‘Verified by Visa’) provides confidence from the card issuer and bank that the transaction is genuine. If a purchase is considered low risk by the bank or card issuer, then the transaction is processed immediately with no authentication required. This is often termed ‘frictionless flow’ since it provides a smooth customer journey. 

2. SCA will become mandatory on 14 March 2022

For companies selling online the initial deadline to meet the new PSD2 with SCA requirements was September 2019. However, with the UK leaving the EU and the recent COVID pandemic, the UK’s Financial Conduct Authority (FCA) has delayed the deadline until March next year. This means that any UK company that is performing transactions online (over the value of 50 euros or approx. £45) must have SCA in place by this date.

Transactions that do not meet the SCA requirements could be declined by the card issuer. The FCA will oversee and enforce the directive and repeat offenders of such transactions may be fined for non-compliance. Companies with high numbers of declined transactions could also see increased complaints, reduced customer confidence and suffer possible irreversible, reputational damage. Some transactions will be considered SCA exemptions, which include recurring payments (such as subscriptions) where the security checks are carried out in the initial set-up and ‘whitelisting’ where the recipient is a ‘trusted beneficiary’.

3. Working with the right Payment Services Provider helps achieve compliance

It can be costly and complex to implement secure online processes for transactions. With some acquirers, secure checks are carried out separately from the transaction processing. In this case the merchants must handle all of the secure online checks themselves, obtaining an authorisation code from the card issuer, and then passing it onto to the payment services provider to proceed with the transaction. Expensive to set up, the secure checks require resources and expertise to manage the mandatory technical and operational interfaces with third parties.

Working with an established payment services provider like Encoded means the transaction process and administration is managed from start to finish. The merchant captures the customer transaction and Encoded carries out all of the secure checks required by the acquirer to verify the card with the card issuer behind the scenes. With checks authorised, Encoded issues a secure link that takes the customer through the online process to complete the transaction.

Choosing the right payment service provider early on is an investment for the future. Encoded’s payment gateway is acquirer agnostic, which means that merchants can easily change banks without implementation costs.

With the next deadline of 14 March 2022 for SCA looming, now is the time to start thinking about how to protect your business from fraudulent transactions and how to comply with the new regulations.

Contact Encoded to find out how we can help you make the change.

About the Author

Adam Bromage-Hughes is Technical Director at Encoded

Adam Bromage-Hughes, Encoded

Encoded is a leading Payment Service Provider and pioneer of new and innovative secure payment solutions for contact centres.  Encoded offers a range of card payment solutions designed to help organisations comply with PCI DSS, GDPR and the newly introduced Payment Services Directive (PSD2).

Encoded’s solutions are trusted by many of the world’s leading brands including Samsung, Mercedes-Benz, BMW, Műller and Virgin, as well as a host of UK utility companies such as Green Star Energy and Severn Trent Water.  Solutions include:  Agent Assisted Card Payments, E-Commerce Payments, IVR Payments, Mobile Apps, PayByLink Mobile Payments and Encoded Gateway Services.  For further information please visit www.encoded.co.uk

Leave a Comment