Wat is Strong Customer Authentication (SCA)?

Since when is PSD2 in effect—and what does SCA mean for your online payments?

Since 14 September 2019, PSD2 has been in effect. It stands for Payment Services Directive 2, the European legislation for payment traffic. Strong Customer Authentication (SCA) is part of this regulation. SCA applies to all online payments where both the seller and the buyer are located within the European Economic Area.

Update: As of 31 December 2020, SCA is mandatory. If you’re a Buckaroo merchant, you automatically comply with these requirements—no action required.

Why is SCA being introduced?

This new rule is intended to protect European consumers from online fraud, which causes millions in damages. The European e-commerce market is expected to grow to nearly €900 billion by 2022.[1] And with that, online fraud will also increase. The European Central Bank estimates that €1.3 billion in online fraud [2] is currently committed annually using credit cards. As fraud tactics become more sophisticated, legislation must keep pace. Strong Customer Authentication makes payments more secure.

Three levels of SCA

SCA requires that an extra authentication step be performed during online credit card payments. Previously, just a credit card number and CVC code were sufficient. Now, at least two authentication factors are needed to secure the transaction.

Minimizing chargeback risks

Chargebacks are a common problem for online merchants and can lead to lost revenue. Crypto payments offer more peace of mind because of their low chargeback risk. Crypto transactions are irreversible, meaning you don’t need to worry about refunds or fraud.

Strong Customer Authentication requires:
  1. Something you know (password or PIN)
  2. Something you own (phone or hardware token)
  3. Something you are (fingerprint or facial recognition)

Traditional passwords (something you know) can now be replaced with a fingerprint (something you are) via your smartphone (something you own). This two-step verification is called Two-Factor Authentication (2FA).

Credit card companies like VISA and Mastercard already offer their own versions of 2FA, known as 3D Secure 1.0. During checkout, the customer is redirected to an environment where they must enter a password or PIN. This often leads to unnecessary drop-offs.

As part of PSD2, 3D Secure 2.0 is being introduced. This allows consumers to complete the authentication step via fingerprint or facial recognition on their phone. This updated version makes it easier and faster to complete a secure payment. The responsibility to implement SCA lies with the issuing bank—the one that issued the credit card. Buckaroo, as a Payment Service Provider, ensures a frictionless payment experience wherever possible. That includes checking whether 3D Secure 2.0 is required, since some transactions are exempt.

Which transactions are exempt from SCA?

SCA is required for all online transactions, but there are exceptions. For example, with low-risk payments, the number of times a customer must authenticate may be reduced. Buckaroo will adapt its checkout process so merchants can benefit from these exceptions without impacting conversion.

 

The most relevant exemptions include:

  • Low-risk payments
    Based on risk analysis by the payment processor.
  • Transactions under €30
    If more than 5 such payments are made or the total exceeds €100, SCA will still be required.
  • Subscriptions or recurring payments
    If the amount and recipient remain the same, only the first transaction requires SCA.
  • Merchant-initiated transactions
    Like subscriptions or direct debits on a credit card. Only the first payment needs SCA, though the issuing bank makes the final decision.
  • Trusted beneficiaries
    Consumers can mark recipients as trusted after a payment. This list is managed by the consumer's bank or the payment provider.
  • Inter-regional transactions
    If either the issuer or acquirer is based outside the EU, PSD2 rules don’t apply. For example, a US credit card may be exempt.

What does the payment flow with SCA look like?

When a consumer selects “Pay with credit card,” Buckaroo performs a check to determine whether SCA is required. Whether or not SCA applies depends on the credit card and any exemptions. However, it’s ultimately up to the issuing bank to approve the exemption. The checkout flow (with or without SCA) looks like this schematically:

Schema Strong Customer Authentication (Csa)

What do I need to do as a webshop or online seller regarding SCA?

Online retailers do not need to take any action themselves. Buckaroo will ensure that all necessary changes to comply with the new directive are implemented in the checkout process. Wherever possible, we will apply exemptions to Strong Customer Authentication to maintain a seamless checkout experience.

 

 

 

[1] https://451research.com/451-research-s-global-unified-commerce-forecast-uncovers-dramatic-shifts-in-consumer-spending-patterns
[2] https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudreport201809.en.html

 

*Note: This blog post is based on the official PSD2 directive.