Skip to content
Go to GoCardless homepage
Pricing
LoginSign up

Designing payment flows for Strong Customer Authentication (SCA)

Payment security is fundamental. Fortunately, the European Union’s new regulatory requirement to reduce fraud and make your online payments more secure – Strong Customer Authentication (SCA) – looks set to vastly improve payment security across the continent. But to continue to accept payments, you’ll need to add new authentication methods to your business’s checkout flow. How do you do that? Let’s kick off the discussion with our Strong Customer Authentication definition.

Strong Customer Authentication definition

First off, what is Strong Customer Authentication (SCA)? Essentially, Strong Customer Authentication is part of PSD2. Adding a new layer of security to your online payments, SCA is a form of two-factor authentication that’s designed to ensure that your end-customers are who they claim to be. Customers will need to provide two forms of validation. The forms of validation that are acceptable for Strong Customer Authentication in the UK are as follows:

  • Knowledge (i.e., something only the customer knows, like their password or security question)

  • Possession (i.e., something only the customer has, like their mobile phone or smartwatch)

  • Inherence (i.e., something only the customer, like their fingerprint or voice pattern)

Per Strong Customer Authentication, only customers who can provide two of these three forms of validation will be able to complete their payment. If your business does not offer two-factor authentication within your checkout flow, payments are likely to be declined by your customers’ banks.

Understanding payment flows for Strong Customer Authentication

Traditional checkout flows have two main steps: authorization and capture. Strong Customer Authentication solutions introduce a third step, in between the previous two: authentication. The most common form of authentication is 3D Secure, also referred to as its branded names, i.e., Visa Secure or Mastercard Identity Check. 3D Secure has now been surpassed by 3D Secure 2.

So, what does your business need to do? In most cases, you won’t need to do anything. Responsibility for Strong Customer Authentication generally falls on banks and payment processors, rather than e-commerce businesses themselves. If you handle your customer payments directly on your website, you may need to make some changes to your checkout flow by implementing an authentication step.

What are the exemptions to Strong Customer Authentication in the UK?

It’s also important to remember that there are a couple of exemptions to Strong Customer Authentication solutions. Certain types of transactions, including merchant-initiated transactions, low-risk payments, phone sales, and subscriptions for a fixed amount, are exempt from SCA. However, you shouldn’t rely on exemptions, because the rules around exemptions will depend on the specific guidelines implemented by your customers’ bank. Instead, design your payment flows so that you can authenticate a customer, when necessary.

How do Strong Customer Authentication solutions affect recurring payments?

Although some of the exemptions mentioned above can benefit businesses with recurring revenue, you should bear in mind that for companies that take recurring payments by card, SCA will apply to the initial setup of the Continuous Payment Authority, at the very least. For recurring payments of the same amount, Strong Customer Authentication won’t need to be applied again. However, if the payment amount changes, then SCA will usually need to be applied again.  

When is the Strong Customer Authentication deadline?

If you haven’t managed to implement Strong Customer Authentication just yet, don’t worry too much. The Strong Customer Authentication deadline has been extended to 14 September 2021 (from 14 March 2021). However, you should act fast to ensure that your business is SCA-ready by the time the Strong Customer Authentication deadline has passed, and new rules need to be implemented.  

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.

GoCardless makes it easy to collect recurring payments

Sign upContact sales

Interested in automating the way you get paid? GoCardless can help

Contact sales

Contact Us

Sales

Contact sales

+44 20 8338 9539

Support

Request support

+44 20 8338 9540

Seen 'GoCardless Ltd' on your bank statement? Learn more

GoCardless Ltd., Sutton Yard, 65 Goswell Road, London, EC1V 7EN, United Kingdom

GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services. GoCardless SAS (23-25 Avenue Mac-Mahon, Paris, 75017, France), an affiliate of GoCardless Ltd (company registration number 834 422 180, R.C.S. PARIS), is authorised by the ACPR (French Prudential Supervision and Resolution Authority), Bank Code (CIB) 17118, for the provision of payment services.