What does SCA mean for recurring payments?
By Brad EwinJul 20194 min read
If you’re a merchant based in the European Economic Area (EEA), you might already be aware of Strong Customer Authentication (SCA). In a nutshell:
SCA is part of European PSD2 regulations, which aim to increase the security of electronic payments and account management, as well as reduce payment fraud
SCA comes into effect on 14 September 2019*
If your business uses a European payment provider to serve customers within the EEA, SCA requires additional proof of identity from your customers when they make certain types of payments
Many businesses are concerned that the extra security measures posed by SCA will increase friction at checkout, leading to a drop-off in conversion. For businesses that take recurring payments, there are broadly three major factors that determine how SCA will affect you. And there are a number of exemptions and out of scope transactions that could help minimise impact on conversion rates.
Ahmed Badr, General Counsel at GoCardless, explores these areas in the videos below, as well as recommending the next steps businesses should take.
How does geography factor into SCA?
While your business and your payment service provider must allow for SCA to be applied, it is your customer’s bank (or card issuer) that will apply the authentication. Looking specifically at payments, and not other areas that SCA is required such as when accessing a payment account, the legislation is not limited in its geographical reach.
In recent guidance, the body responsible for SCA specifications has confirmed that SCA is only strictly required when both a merchant’s payment provider and customer’s bank (or card issuer) are located within the EEA. When only one of those parties is located within the EEA, it must use “best efforts” to apply SCA for payments that require it.
In practice, this means is that if a merchant located outside the EEA is using an EEA-based acquirer, that merchant can still expect the acquirer to support SCA for transactions that take place with EEA-based issuers.
How does payment method factor into SCA?
How you choose to accept payment from your customers impacts how SCA will affect you. SCA primarily targets electronic payments that are initiated by your customer, and that are processed instantly. This means many credit card and debit card payments, as well as bank transfers, will be subject to SCA.
Direct Debits or bank debits, on the other hand, are out of scope of SCA. This includes payments set up and made through GoCardless. The key difference with these payments is that the customer’s payment details are collected without the involvement of the customer’s bank, and this is being done at a different point in time to the payment being processed.
These payments also typically have much lower rates of fraud than card payments or bank transfers.
How does the type of billing factor into SCA?
Broadly speaking, recurring purchases can be billed in one of three ways:
Invoicing - Your customer pays you variable amounts, at regular or variable intervals, with no fixed end date. (E.g. Professional services.)
Subscriptions - Your customer pays you fixed amounts, at fixed intervals, with no fixed end date. (E.g. Gym membership.)
Instalments - Your total product or service cost is broken down into fixed amounts, for your customer to pay at fixed intervals, with a fixed end date. (E.g. Loan repayments.)
Generally speaking, SCA applies to recurring purchases when either the amount or frequency of payments is changing. With invoicing, the amount varies, and thus every payment a customer initiates is subject to SCA. With subscription and instalment payments, only the first payment will be subject to SCA, as the subsequent payments are fixed amounts at a fixed frequency.
Which payments are out of scope of, or exempt from, SCA?
For businesses taking recurring payments, there are a few key exemptions and out of scope areas to be aware of.
Merchant-initiated transactions (MITs)
These are payments from your customer where you as the business initiate the transaction. In these cases, your customer must have given you advance authority to take recurring payments from them for a specified product or service.
Both card payments and Bank Debits like Direct Debit can be MITs. For card payments, SCA will typically also need to be applied when your customer provides you their payment details. However, all following transactions will be out of scope of SCA.
For electronic ‘paperless’ Direct Debits, such as those handled by GoCardless, SCA is not required even during mandate setup - due to the fact that the customer’s bank is not involved at the point of mandate setup. These types of payment also typically present a lower risk of payment fraud.
Learn more about merchant-initiated transactions.
Trusted beneficiaries (“whitelisting”)
As part of SCA, banks and card issuers will allow their customers to create a whitelist of businesses they trust, and for whom they are happy not have SCA applied. If your customer decides to add your business to their list of trusted beneficiaries, SCA will only need to be applied once - at the point of adding you to the whitelist. All of their future payments to you can then be processed without SCA.
Low value transactions
When your customer makes a payment to you that is under €30 (or its equivalent), it may be exempt from SCA.
There are two notable caveats to this. First, every sixth low value transaction your customer makes, SCA will need to be applied. This isn’t just every sixth payment they make to you, it covers all payments they make anywhere.
The second caveat is that if a cumulative payment total of €100 (or its equivalent) is reached before that sixth payment, SCA will need to be applied at that point.
Low risk transactions
If your payment service provider’s overall fraud rates are below certain thresholds, your customer’s bank can choose to not apply SCA under certain transaction values. For values above €500, however, this exemption does not apply.
It’s worth noting that while banks are allowed to support exemptions under SCA, they aren’t obliged to. And even if a customer’s bank does support exemptions and a purchase meets the requirements of an exemption, they are still able to apply SCA if they wish. As such, you cannot rely on exemptions to opt out of preparing your payment flows for SCA ahead of September.
Learn more in our detailed list of all key SCA exemptions.
Take some time to map out your payment flows. Make sure you’re aware of every use case in your business and understand how SCA will apply to each of them.
While it is ultimately your customers’ bank or card issuer that will control SCA, the checkout flow on your website will need to capture the additional proof of identity from your customers. And, your payment service provider will need to be able to facilitate the secure transfer of this data to your customer’s bank or card issuer.
When you’ve mapped out all of your payment flows and understood the use cases where SCA applies, note any necessary changes you’ll need to make ahead of September to be compliant with the regulation. Also make sure you double check with your payment service provider to ensure they will be facilitating your compliance.
Over the coming months, we’ll be publishing more updates about SCA for businesses taking recurring payments. To ensure you don’t miss out, follow us on LinkedIn, Facebook, or Twitter, and keep an eye on our blog, guides, and support centre.
For now, make sure you read our comprehensive guide to Strong Customer Authentication.
*Note: On 13 August 2019 the Financial Conduct Authority (FCA) confirmed that enforcement of SCA in the UK will include a phased 18-month implementation, starting on 14 September 2019 and ending March 2021. On 30 April 2020, an additional 6 months was granted in response to the exceptional COVID-19 circumstances, meaning the current deadline for implementation is 14 September 2021.