What is Strong Customer Authentication? (in 2 mins)
What is Strong Customer Authentication (SCA) and what does it mean for merchants in the UK and Europe?
If you haven’t heard of it yet, you wouldn’t be in the minority - Mastercard’s survey of European merchants in late 2018 found that 75% were unaware of what SCA is and what it means for them. As it stands, however, SCA will be coming into effect in September 2019 and it poses significant changes to the security requirements of online purchases.
(Note: The FCA released a statement on 28 June 2019 recognising concerns around the industry's preparedness and ability to comply with the requirements for SCA by 14 September 2019.)
In the below video, GoCardless’ Product Marketing Manager Timmy Neilsen provides a 2-minute overview of what SCA is and how it’s affecting merchants within the UK and Europe.
What is Strong Customer Authentication, really?
In short, SCA is part of a European-wide legislation, PSD2.
In practice, SCA means two-factor authentication will now be required for online purchases. That means when your customer purchases something from your business over the internet, they need to offer two further pieces of identifying information on top of their payment details. This info can take any of the following forms:
- Something only your customer knows, such as a password
- Something only your customer possesses, such as their mobile phone (which can receive a single-use code)
- Something only your customer is, which could be something like a fingerprint
Where does Strong Customer Authentication apply?
SCA will impact any applicable transaction where both the business’ payment service provider and the end-customer’s bank are located within the European Economic Area (EEA).
If one of these is outside Europe, the requirement is for the payment service provider in Europe to use ‘best efforts’ to apply SCA.
How does Strong Customer Authentication affect me?
SCA will be applied by the customer’s bank but is likely to be facilitated by a card processor. However, it’s necessary that you as a merchant have a payment flow which allows for this.
Your payment service provider will likely be on top of this, but it’s worth reading any materials they’ve published on the topic to understand their approach and how it affects you.
Will Strong Customer Authentication lower my conversion rates?
This is a concern for many businesses. And it is certainly possible that SCA may complicate the checkout experience in your customers’ eyes, leading to a conversion drop-off.
However, SCA has a number of exemptions built-in where two-factor authentication may not be required, for example:
- Payments assessed as being low risk, according to a set of defined criteria
- Payments below €30
- Subscriptions of a fixed amount