Strong Customer Authentication (SCA) explained
By 14th September 2021, all e-commerce businesses in the UK will need to implement Strong Customer Authentication (SCA). But what exactly is SCA and how will it impact your business?
To help you prepare, we've teamed up with David Weston to answer your key questions about SCA. David has over 25 years of experience in tourism, travel and hospitality. He also sits on the UK Finance hospitality and tourism panel, which was set up to help businesses of all sizes in the sector, from seaside B&Bs to international hotel chains like Marriot and Hilton, get ready for SCA.
What is SCA?
SCA is a European regulatory requirement. It's designed to make online payments more secure and reduce fraud.
The SCA regulation applies to credit transfers and remote electronic payments, e.g. online shopping, that take place in the European Economic Area (EEA), where both payer and payee are in the region. It does not apply to point-of-sale card payments using contactless or chip and pin.
Why is SCA being introduced in Europe?
For nearly a decade, payment fraud losses have been steadily increasing. With little sign of stopping. The European Central Bank estimates there's around €1.3 billion in online fraud on European cards each year. It hopes SCA will increase online payment security and reduce this figure. Especially as European e-commerce is expected to grow to $1 trillion by 2022.
How does SCA work?
For your business to accept online payments that meet the new SCA regulation, your checkout flow needs to have at least two of the following forms of authentication.
- Something your customer knows.
E.g. PIN number or password.
- Something your customer has.
E.g. Mobile phone or card reader.
- Something your customer is.
E.g. Fingerprint or facial recognition.
This is known as two-factor authentication.
What if customers don't have a mobile phone or decent signal?
As mobile phones are one of the devices that can be used as part of the SCA two-part authentication process, there are concerns those living in rural areas, with poor or no signal, could really struggle with online payments.
Fortunately, banks have already started to address the issue. The solutions will depend on who your customers bank with. Card readers appear to be the answer for most banks, although email passcodes and landline passcodes are also being used.
Are there any online payments that don't require SCA?
According to Barclaycard, SCA doesn't apply to online transactions under €50. However, it will be required if your customer makes five low-value payments consecutively or if the total payments exceed €100. There are other SCA exemptions too:
- Recurring payments. Examples include membership fees and subscriptions. The initial payment will require SCA, but subsequent ones don't.
- Whitelisting (or trusted beneficiary). Customers can specify businesses they trust, so only their first transaction with that merchant requires SCA.
- Secured corporate payments. Transactions initiated by a legal person (e.g. a business) rather than a consumer, that are processed through a secured dedicated payment protocol.
- Low risk transactions or Transaction Risk Assessment (TRA). If a transaction is deemed to be low risk, by using a real-time assessment. The merchant is reliant on the payment service provider to act on their behalf for this.
What is PSD2?
PSD2 is often associated with SCA. Here's why. The Payment Services Directive (PSD) was adopted in the EU in 2007 to 'encourage the creation of safer, more innovative payment services'.
Introduced in January 2018, PSD2 built on this legislation in three ways. One of which was enhanced security through SCA. The other two were increased consumer rights, and enabling third-parties to access account information.
What is the deadline for SCA?
Since September 2019, two-factor authentication has been implemented in banks. This was the original deadline for other businesses too. But this got pushed back.
E-commerce businesses were given an extension until 14 March 2021 to comply with SCA. However, this deadline has since been extended by six months. The new SCA deadline is now 14 September 2021.
Why was the SCA deadline extended?
The original deadline extension was granted for a number of reasons. According to UK Finance, these included: "…regulatory uncertainty…, insufficient or delayed availability of technological solutions, and low awareness among merchants."
Of these reasons, low awareness appears to be a huge problem. Research by UK Finance indicates: "…more than 75% of merchants are unaware of SCA requirements and less than 5% of merchants are currently using 3D Secure 2.1 (the technology required for applying SCA)." So, if your business is unaware of SCA, you're far from alone.
David commented: "Larger businesses appear to be more aware of SCA. Unfortunately, at the moment, smaller businesses aren't. UK Finance is working on a communications plan that is due to be rolled out from summer/autumn 2020 to help raise awareness of SCA."
The second deadline extension, until September 2021, was granted by the Financial Conduct Authority (FCA) due to the 'impact of the Covid crisis'.
What happens if I'm not SCA compliant by the deadline?
Any non-compliant transactions, after the 14 September 2021 deadline, will be declined by the cardholder's bank. This could prove extremely costly for your business. Especially if the majority or all of your income comes through online payments.
The FCA have stated that: "After 14 September 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action."
However, rather than seeing this as a risk to your business, it could be an opportunity. Being proactive now, and ensuring you're ready for SCA, could help you stay ahead of your less organised competitors.
How much will SCA cost my business?
According to David: "It's hard to say. Businesses use different payment service providers to handle their online transactions. What each provider is doing, or potentially charging, to ensure they are SCA compliant will vary. It's best to contact your individual provider and ask them."
What types of businesses will be affected by SCA?
All businesses that process online payments in the EEA will be impacted by SCA. Although, some will be affected more than others. In particular, those in the retail, travel and hospitality sectors.
David added: "All industries will have to adapt to ensure compliance with SCA. But due to the volume of payments in the retail, travel and hospitality sectors, and the way in which these businesses operate, they will notice it more.
"Small businesses, in all sectors, might also struggle. Mainly due to a lack of awareness, no time to research, and budget constraints."
Where do small businesses go for further help on SCA?
There are several ways in which you can get additional help and advice on SCA. The FCA recommends: "Speak to your trade association and UK Finance to get more information on the agreed plan."
Something David seconds: "Being a member of a trade association, such as the B&B Association, has many benefits. Especially when new regulations are implemented.
"Hopefully your trade association will be aware of SCA and should be able to answer any questions you might have. Alternatively, the UK Finance website is another good source of information."
David also suggested small businesses contact their online payment provider, whether their transactions are direct through their own site or a third party, to ask them what their SCA strategy is.
We're here to support small businesses too
Hopefully this guide has given you a good understanding of SCA, and will help you be ready for the September 2021 deadline.