Key things to know about Strong Customer Authentication (SCA)

Saturday, January 03, 2015

An extra layer of security for online transactions

Taking payments at your business can be a daunting task for small business owners or those just starting out. The global marketplace has made it easier than ever to start a business no matter where you are. But, you need to know a lot of things if you’re operating a business in another country, such as an American doing business in Europe.

So, if you do business in the European Union, you’ll need to know the specific payment guidelines in place to ensure you’re following the rules. In this article, we’ll focus on one of these sets of guidelines – Strong Customer Authentication (SCA). We’ll discuss what it is, the history of SCA, how it works, and why it’s important. To start, let’s define SCA.

What are the SCA requirements?

SCA is a set of payments industry regulatory requirements that seek to help secure online and mobile payments and reduce fraud. This set of procedures came out of the Second Payment Services Directive (PSD2). The original directive was put into practice in 2007, but the revised payment services directive built upon this legislation by increasing consumers' rights in payments, bringing regulation of third-party access to data and enhancing security measures. More specifically, enhanced security measures include SCA.

SCA applies to any online transaction in the European Economic Area (EEA), Monaco, or the UK. The EEA consists of European Union countries with the addition of Iceland, Liechtenstein, and Norway. Now that you know more about SCA, let’s talk about how it works.

How does SCA work?

SCA is a two-factor authentication system that makes customers prove their identity before a transaction gets completed. There are three categories of authentication, and a user must prove two of the three categories. These categories ask a user about something they know, something they own, and something they are. Let’s explore each of these categories:

  • Something they know – this involves asking the user to input an answer only they would know. Examples of this category include passwords, passcodes, PINs, or a secret fact.
  • Something they own – this includes proving the owner is in possession of an item, including a smartwatch, smartphone, smart card, token, or badge.
  • Something they are – this is the third way to prove the consumer is who they say they are, with a fingerprint, facial recognition, voice patterns, iris scan, or DNA signature.

Before, businesses could only authenticate users with a static password. However, this new requirement makes it so customers must prove their identity in two forms before a payment completes. Now, let’s see when SCA is required.

When is SCA required?

To be SCA compliant, your business will need to follow SCA anytime a customer initiates an online or contactless payment throughout the EEA. Anytime a consumer purchases goods or services online from your business in the EEA, or if the cardholder is located in the EEA, they’ll be prompted to provide the correct authentication.

For credit card payments, the most common method of authentication is through the use of 3D Secure (3DS). The vast majority of credit card companies and acquirers already support 3DS. To apply 3DS, there’s typically one more step after checkout in which the cardholder gets prompted by their bank to give additional information before completing the payment. This could be a one-time verification code or even a biometric scan through the mobile banking app.

Since 2019, online payments users have been experiencing 3D Secure 2.0. The main difference between this and the previous version of 3DS is that it streamlines the workflow for a better and more frictionless customer experience. In this new version, issuers can perform risk-based authentication in the access control server (ACS) to approve a transaction without the need for input from the cardholder. That means no more annoying pop-up windows or having to remember all of those passwords.

In the case of contactless payments, many mobile wallets already employ multiple-step authentication practices. In the cases of Apple Pay® and Google Pay™, this multi-factor authentication happens biometrically with either a face scan or fingerprint scan. For contactless payments, this process is much faster and can create a more seamless checkout experience for your customers. In addition, European payment methods such as iDEAL, Bancontact, or Multibanco follow SCA rules without any major changes to their user experience. While you should understand that most of your transactions will be governed by SCA, there are some exceptions.

According to law, the exemptions to SCA verification include:

  • Low value Contactless POS payments, less than 50 euros: Except when the total of three consecutive purchases exceeds 150 euros. Such payments will require new authentication after five payments since the last SCA.
  • Online purchases under 30 euros: Such transactions cannot total more than 100 euros in 24 hours. Like contactless payments, they require new authentication after five payments without SCA.
  • Toll road and car park payments: These charges are SCA-exempt because they happen at unattended terminals and are for a very small amount.
  • Regular subscriptions: Usual payments of the same amount, like with streaming platforms or gym memberships.
  • Commercial whitelists: The user can “whitelist” trusted businesses that won’t require SCA by notifying their bank or payment services providers (PSP).
  • Mail order and telephone order (MOTO) payments: Payments carried out via telephone or email.

For a full list of exemptions, you’ll want to read the regulatory technical standards (RTS) which lays out all of the SCA compliance markers.

Now, you might be wondering about recurring payments. Generally, if a payer initiates a payment, SCA applies. However, if it is a recurring payment in the same amount, the SCA only applies to the first payment. But, SCA will re-apply should the recurring payment amount change.

If the merchant initiates a payment transaction (except for standard direct debits), SCA will be necessary. However, as long as the merchant initiates subsequent payments and these payments are within reasonable expectations, additional SCAs won’t be necessary. Therefore, if you operate a subscription business, Software As a Service (SaaS), or any other kind of recurring payment or membership business, you’ll need to understand SCA.

As you can see, SCA is a necessary step to build upon the foundation of the EU Payments Service Directive. As ecommerce and mobile contactless payments become more ingrained in the day-to-day life of many Europeans, it’s important to make sure the security protecting these transactions can also help protect consumer data. It’s equally as important to ensure that your business is delivering as frictionless of a transaction experience as possible. Therefore, examine your SCA practices to ensure that strong customer authentication is helping – and not hurting – your business.

Ready to work with a payment processor who knows small business?

Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at