Strong Customer Authentication Regulation

Fighting fraud is a huge challenge for businesses. While there are many ways to do so, authentication is particularly effective. It involves verifying a customer’s identity before accepting an online payment. It can be single-factor (i.e. a password), two-factor (i.e. one-time authentication code and a password), or multi-factor.

The most common authentication of a card payment currently relies on 3D Secure 1, supported by most major card networks and better known by its branded names, “Verified by Visa”, “Mastercard SecureCode”, etc. Applying 3D Secure means you redirect your customers to an external page. They will then be asked to provide additional information to complete their payment. This method drastically reduces the likelihood of fraud. In fact, if a payment is successfully authenticated using 3D Secure, the liability for a dispute due to fraud will shift from your business to the cardholder’s bank.

In order to stop the rise of fraud, the European Union is introducing new regulation that will require European businesses to implement even stricter authentication flows into their payment experience. Known as Strong Customer Authentication (SCA), this regulation is part of a broader European payments law, the second Payment Services Directive (PSD2).

What is Strong Customer Authentication?

Strong Customer Authentication is the new mandatory requirement for online payment authentication. It will be introduced in Europe on September 14th 2019. SCA will require payments to be authenticated using at least two of the following three elements:

  • Something that only the customer knows

A password or a pin for example, or a response to a security question known only by the customer. Card data, such as card number, CVV, or expiration date is not considered valid knowledge by the European Banking Authority or regulators in Germany and France.

  • Something that only the customer has or possesses

For example, a hardware token, mobile phone, or other device that is in the customer’s possession.

  • Something that only the customer is

For example, a biometric such as a fingerprint, facial recognition, or iris scan.

Starting September 14th 2019, unauthenticated payments that require SCA will be declined by the customer’s bank. These payments will then have to be re-submitted to the customer with a request for Strong Customer Authentication. If you would like to know more about the full SCA requirements, you can find them here.

Will all payments require Strong Customer Authentication?

Strong Customer Authentication will apply to customer-initiated online payments within Europe. Most card payments and all credit transfers will require Strong Customer Authentication. Recurring direct debits are considered merchant-initiated and will not require SCA. A card payment will be in scope of the regulation if the cardholder’s bank and the business’s payment provider are both located in the European Economic Area (EEA).

Exemptions to Strong Customer Authentication

Under this new regulation, specific types of payments may be exempted from having to apply SCA. For example:

  • Transactions below 30€

A payment will be considered a “low value transaction” and be exempted if it’s below 30€. However, SCA will be required if the card or payment method has seen more than five exempt transactions or the sum of these exempted transactions exceeds 100€. The card holder’s bank or payment method provider will be responsible for tracking the number of times a payment method has been used and deciding and deciding whether the exemption can still be used.

  • Low-risk transactions

A payment provider will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This is only possible if the payment provider’s fraud rates do not exceed the following thresholds for card payments:

  • 0.13% for transactions up to 100€
  • 0.06% for transactions up to 250€
  • 0.01% for transactions up to 500€

In analyzing risk, payment providers will have to assess factors including abnormal behavior or spending, previous purchase patterns, and location of customer and business. The European Banking Authority requires the fraud rate to be assessed at the payment provider level, as it cannot be assessed on an individual basis for a specific merchant.

  • Subscriptions

This exemption will apply when the customer makes a series of recurring payments for the same amount to the same business. SCA will be required for the customer’s first payment to the business, but not for subsequent payments. While subscription payments are often periodic and directed to the same business, an increasing number of companies charge variable amounts (also known as metered billing). Unless regulatory authorities agree to categorize those transactions as merchant-initiated transactions, these types of payments will not be covered by the exemption.

  • Whitelisted trusted beneficiaries

Customers may have the option the whitelist businesses they trust. These businesses will be included on a list of ‘trusted beneficiaries” maintained by the customer’s bank. SCA will be required for the customer’s first payment to the business, but not for subsequent payments. SCA will also be required when the customer creates, confirms, or amends the whitelist. There are no limitations in terms of the transaction amount, number of transactions, or period since SCA was last performed, and whitelisting applies to both card payments and credit transfers. While whitelisting has the potential to make repeat purchases or subscriptions more convenient for customers, adoption of this feature across issuing banks has been slow.

  • Secure corporate payments

This exemption covers payments that are made with “lodged” cards (where a corporate card used for managing employee travel expenses is held directly with an online travel agent), and corporate payments made using virtual card numbers (which are also used in the travel sector). Regulation only allows the cardholder’s bank to request this exemption as neither the business nor the payment provider are able to detect whether a card belongs to these categories.