Skip to content
Open site navigation sidebar
Go to GoCardless homepage
LoginSign up
Go to GoCardless homepage
LoginSign up

Designing payment flows for Strong Customer Authentication (SCA)

Written by

Last editedMar 20222 min read

Payment security is fundamental. Fortunately, the European Union’s new regulatory requirement to reduce fraud and make your online payments more secure – Strong Customer Authentication (SCA) – looks set to vastly improve payment security across the continent.

SCA is currently planned to come into force across the European Economic Area from 14 March 2022.

(Note: The FCA issued a further 6 month extension from the 14 September 2021 deadline to ensure minimal disruption to merchants and consumers, recognising the ongoing challenges facing the industry to be ready.)

To continue to accept payments, you’ll need to add new authentication methods to your business’s checkout flow. How do you do that? Let’s kick off the discussion with our Strong Customer Authentication definition.

Strong Customer Authentication definition

First off, what is Strong Customer Authentication (SCA)? Essentially, Strong Customer Authentication is part of PSD2- the 2nd EU Payments Service Directive. Adding a new layer of security to your online payments, SCA is a form of two-factor authentication that’s designed to ensure that your end customers are who they claim to be. Customers will need to provide two forms of validation. The forms of validation that are acceptable for Strong Customer Authentication in the UK are as follows:

  • Knowledge (i.e., something only the customer knows, like their password or security question)

  • Possession (i.e., something only the customer has, like their mobile phone or smartwatch)

  • Inherence (i.e., something only the customer, like their fingerprint or voice pattern)

Per Strong Customer Authentication, only customers who can provide two of these three forms of validation will be able to complete their payment. If your business does not offer two-factor authentication within your checkout flow, payments are likely to be declined by your customers’ banks.

Understanding payment flows for Strong Customer Authentication

Traditional checkout flows have two main steps: authorization and capture. Strong Customer Authentication solutions introduce a third step, in between the previous two: authentication. The most common form of authentication is 3D Secure, also referred to as its branded names, i.e., Visa Secure or Mastercard Identity Check. 3D Secure has now been surpassed by 3D Secure 2.

So, what does your business need to do? In most cases, you won’t need to do anything. Responsibility for Strong Customer Authentication generally falls on banks and payment processors, rather than e-commerce businesses themselves. If you handle your customer payments directly on your website, you may need to make some changes to your checkout flow by implementing an authentication step.

What are the exemptions to Strong Customer Authentication in the UK?

It’s also important to remember that there are a couple of exemptions to Strong Customer Authentication solutions. Certain types of transactions, including merchant-initiated transactions, low-risk payments, phone sales, and subscriptions for a fixed amount, are exempt from SCA. However, you shouldn’t rely on exemptions, because the rules around exemptions will depend on the specific guidelines implemented by your customers’ bank. Instead, design your payment flows so that you can authenticate a customer, when necessary.

How do Strong Customer Authentication solutions affect payments?

Although some of the exemptions mentioned above can benefit businesses with recurring revenue, you should bear in mind that for companies that take payments by card, SCA will apply to the initial setup of the Continuous Payment Authority, at the very least. For recurring payments of the same amount, Strong Customer Authentication won’t need to be applied again. However, if the payment amount changes, then SCA will usually need to be applied again.  

When is the Strong Customer Authentication deadline?

If you haven’t managed to implement Strong Customer Authentication just yet, don’t worry too much. The Strong Customer Authentication deadline has been extended again to 14 March 2022 (from 14 September 2021). However, you should act fast to ensure that your business is SCA-ready by the time the Strong Customer Authentication deadline has passed, and new rules need to be implemented.  

We can help

Benefit from not only the automation of GoCardless but, since payments via GoCardless are out of the scope of SCA and fully PSD2 compliant, you can avoid any potential conversion hit that comes with SCA implementation. Discover exactly how SCA may impact your business and how GoCardless  A complete guide to SCA

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments like invoices, one-off payments or recurring payments.

Over 70,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.

Get StartedLearn More
Interested in automating the way you get paid? GoCardless can help
Interested in automating the way you get paid? GoCardless can help

Interested in automating the way you get paid? GoCardless can help

Contact sales

Try a better way to collect payments, with GoCardless. It's free to get started.

Try a better way to collect payments

Learn moreSign up