Strong Customer Authentication requirements: what you need to know

If you sell through the internet, your small business must introduce Strong Customer Authentication requirements by 14 March 2022. What is SCA and how will it affect your small business?

UPDATED: After another year’s delay, Strong Customer Authentication requirements come into force today (14 March 2022).

However, research from online payments platform Adyen reveals that 44 per cent of businesses still aren’t set up to meet the requirements. This could lead to repercussions from the Financial Conduct Authority as well as losing business. In fact, 43,000 transactions (worth £3.64m), were declined at the point of sale last month, according to Barclaycard.

To help you stay out of this undesirable situation, here is more info about Strong Customer Authentication and what it could mean for your business.

Background to SCA and PSD2

The new EU Payments Services Directive (PSD2) came into effect in January 2018, bringing in new laws aimed at enhancing consumer rights and reducing online fraud.

A key element of PSD2 is the introduction of additional security authentications for online transactions over €30 (£25), known as Strong Customer Authentication (SCA). It means customers will no longer be able to checkout online using just their credit or debit card details, they will also need to provide an additional form of identification.

What is Strong Customer Authentication?

SCA adds an extra layer of security when customers make a payment online. Until now, shoppers have been able to simply enter their payment details and complete their purchase (although some businesses voluntarily choose to ask for further authentication).

SCA is designed to make paying online more secure and, consequently, reduce payment fraud.

In real terms, however, this means that more than 300 million ordinary European consumers will regularly have to change the way they buy online, introducing an extra layer of friction at the checkout for everyday transactions.

How does SCA work?

SCA is a form of two-factor authentication designed to prove that customers are who they say they are, with specific rules around what constitutes “authentication”.

It requires two forms of validation out of three available categories.

What are the three categories?

  • Something you know (e.g. PIN)
  • Something you have (e.g. Card/phone)
  • Something you are (e.g. fingerprint)

Only when the payer has been able to provide two of these forms of authentication, will they be allowed to complete their payment.

Why is SCA needed?

Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. Fraud losses on UK-issued cards totalled £671.4m in 2018, a 19 per cent increase from £565.4m in 2017, according to UK Finance. UK card fraud now accounts for half of all losses across Europe, driven by data breaches and online scams, according to predictive analytics firm FICO. In 2018 €1.6bn worth of card fraud was recorded across 19 EU countries, including Ukraine, Russia and Turkey.

When does SCA come into force?

The deadline for SCA compliance has been delayed twice, with an agreed phased roll-out plan to move the UK to full compliance by 14 March 2021. The deadline for businesses to enact Strong Customer Authentication (SCA) was originally the 14 September 2019. However, on 13 August 2019, the Financial Conduct Authority (FCA) stated enforcement would include a phased 18-month implementation. This was again pushed back to 14 March 2022 so that businesses had more time to prepare.

How will SCA affect my customer payment journey?

In short, it’s going to be a bit more complicated.

Until now, authentication was only required on an exceptional basis where the risk of the transaction was regarded as “high”. You would find yourself being transferred to a 3D Secure gateway, for example, and asked to plug in additional information. This is commonly known as a “step up”. After 14 March 2022, additional authentication will be the new default. All qualifying transactions will be required to be “stepped up” unless an exemption applies. As the UK moves towards full compliance by March 2022, it is anticipated that 95 per cent plus of transactions will require a step-up.

Exceptions to SCA requirements

In a “card present” scenario, the convenience of contactless at point-of-sale would remain for low-value transactions (less than €50 and the UK limit is £30). Chip and PIN will also remain as the common practice in the European Economic Area when customers are present for values above €30.

Strong Customer Authentication exemptions

Strong Customer Authentication exemptions for retailers
ExemptionRegulationThresholdDescription
Contactless payments at POSArticle 1150Cumulative amount less than €150 or five consecutive payments
Trusted beneficiaries or recurring paymentsArticle 13NoneSeries of payment transactions with same amount and same payee. Recipient on 'white list'. Not for first payment
Low-value transactions Article 1530Cumulative amount less than €150 or five consecutive payments
Transaction Risk Analysis (TRA)Article 16VariousExemption Threshold Value (ETV) based on payment service provider's fraud rate for remote card-based payments and credit transfers. Maximum ETV is €500
Secure corporateArticle 17Payment Service Providers need to provide FCA with risk assessment and migitation measures for the corporate payment services to be exempted

What happens if I ignore SCA?

The Financial Conduct Authority has said it will not prosecute companies for not already meeting Strong Customer Authentication requirements following the decision to extend the original September 2019 implementation deadline.

However, any firm which fails to comply with SCA after 14 March 2022, will find itself subjected to full FCA supervision and possible enforcement action as appropriate.

Potential business impact of SCA

Worryingly, 27 per cent of those shoppers who abandoned an online purchase in 2019 did so because they found the e-commerce process too complicated. Nearly 70 per cent of all online purchases ended up being abandoned. And that was before any new tier of Strong Customer Authentication requirements was implemented.

Although there are exemptions for certain types of transactions, retailers should brace themselves for reduced conversion rates for online shopping. European businesses stand to lose an estimated €57bn in year one after SCA implementation.

However, in India, similar legislation saw a sudden drop-off of 25 per cent across e-commerce transactions, which would equate to a potential economic loss of €150bn if it ravaged Europe’s €600bn online economy to the same extent.

Further reading on SCA

Strong Customer Authentication is making online payments more complicated – is your business ready?

Avatar photo

Tim Adler

Tim Adler is group editor of Small Business, Growth Business and Information Age. He is a former commissioning editor at the Daily Telegraph, who has written for the Financial Times, The Times and the...