SCA stands for Strong Customer Authentication. It refers to a requirement for payment verification in card-not-present transactions in the European Union and the United Kingdom. SCA is a mandate of the Revised Payment Services Directive, or PSD2 as it is commonly referred to, which creates standards for the payment service industry in the European Economic Area (EEA). PSD2 aims to improve security for online and cross-border payments and to promote innovations in payment technologies.
Credit card fraud is a massive problem for banks, card networks, merchants, payment providers and cardholders alike, and SCA is designed to markedly reduce instances of true fraud in online payments. SCA means that multi-factor authentication must be used to verify that the person making a credit card transaction is the legitimate owner of the card and approves of the transaction.
Under the directive, payments for card-not-present transactions, such as on an ecommerce website, must be authorised by the cardholder using any two of the following:
- Something the cardholder possesses, such as the physical payment card or mobile phone
- Something the cardholder knows, such as a PIN or a password
- Something the cardholder inherently is, such as fingerprints or facial recognition
In a physical store, the cardholder presents the actual card with an embedded chip and enters the PIN number for that card into the card payment terminal. The chip and the PIN need to match in order for the transaction to be approved. However, in online payments the situation is a little different, as there is no card reader to verify if the card even has a chip. Knowing the card expiry date or the CVV (Customer Verification Value) number on the back of the card is no longer sufficient for online transactions, as this information is easily brokered by criminal syndicates.
Merchants, therefore, need to add an SCA-enabled checkout process to their online stores. So during the checkout process the cardholder would add their payment information, including the billing address and CVV number, and would then be required to add an additional authentication check. This could be by several methods, such as entering a PIN sent to the users mobile phone or email address, or by using the fingerprint scanner or camera on a mobile phone. Once the information has been entered by the cardholder the transaction can be approved.
There can be exceptions from the SCA requirement under certain conditions, depending on various factors and providers. Some examples might be:
- Mail and phone orders
- Transactions under €30, although there may be a limit on transactions before authorisation is required again
- Recurring subscription billing
- Some corporate and virtual cards
It also may be possible for some cardholders to whitelist certain merchants with their issuing bank, so that purchases from that merchant will not need the additional layer of security. It depends on what services are available from various providers.
Obviously, SCA adds an additional layer of friction to the checkout experience. Additional friction has been recognised to cause customers to get frustrated, abandon their online shopping carts and give up on the whole purchase. This is especially true if the merchant has not put some effort into the user checkout experience to make it easy for the customer to complete an SCA process. For example, many internet users disable the use of pop-ups in their browsers. So if the field to enter a PIN in order to complete a purchase is contained within a pop-up and not within the page the user may never see it, get frustrated and leave the website without completing their purchase. A great checkout experience is one where customers have clear directions and a natural flow from one step to the next. Customers who are frustrated by a checkout process are unlikely to return.
If you are a merchant in the EU or UK you have no choice but to implement SCA for online payments. It’s simply the law and compliance has been required since March 2022. PSD2 applies if the payer and the payee are both in the EU, UK, or EEA. A merchant in the USA selling to a customer in the EU need not at this time apply SCA to transactions. However, with the staggering losses worldwide annually due to credit card fraud, it is likely that other countries and regions will be looking at the impact of SCA on the European market. We can expect similar directives to become commonplace in more parts of the world over the coming decade.
Merchants must remember that while the implementation of SCA will reduce the amount of true fraud and the associated chargebacks, other types of fraud such as friendly fraud will continue to happen. While it will be very difficult for a friendly fraudster to claim that they never made the purchase, they can still claim, for example, that the product was never delivered, was broken, or was not as advertised. This type of fraud happens after the transaction, SCA happens prior to the transaction. Therefore it is still vital for merchants to take steps to mitigate cases of friendly fraud chargebacks.
At Baers’s Crest we understand the legal and technical requirements of directives such as PSD2. Talk to us about secure and compliant payment services in your area.