What is SCA and how will it affect my business?
If you sell through the internet, your small business must introduce Strong Customer Authentication requirements by 14 March 2021. What is SCA and how will it affect your small business?
Background to SCA and PSD2
The new EU Payments Services Directive (PSD2) came into effect in January 2018, bringing in new laws aimed at enhancing consumer rights and reducing online fraud.
A key element of PSD2 is the introduction of additional security authentications for online transactions over €30, known as Strong Customer Authentication (SCA). It means customers will no longer be able to checkout online using just their credit or debit card details, they will also need to provide an additional form of identification.
What is Strong Customer Authentication?
SCA adds an extra layer of security when customers make a payment online. Until now, shoppers have been able to simply enter their payment details and complete their purchase (although some businesses voluntarily choose to ask for further authentication).
SCA is designed to make paying online more secure and, consequently, reduce payment fraud.
In real terms, however, this means that more than 300 million ordinary European consumers will regularly have to change the way they buy online, introducing an extra layer of friction at the checkout for everyday transactions.
How does SCA work?
SCA is a form of two-factor authentication designed to prove that customers are who they say they are, with specific rules around what constitutes “authentication”.
It requires two forms of validation out of three available categories.
What are the three categories?
- Something you know (e.g. PIN)
- Something you have (e.g. Card/phone)
- Something you are (e.g. fingerprint)
Only when the payer has been able to provide two of these forms of authentication, will they be allowed to complete their payment.
Why is SCA needed?
Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. Fraud losses on UK-issued cards totalled £671.4m in 2018, a 19 per cent increase from £565.4m in 2017, according to UK Finance. UK card fraud now accounts for half of all losses across Europe, driven by data breaches and online scams, according to predictive analytics firm FICO. In 2018 €1.6bn worth of card fraud was recorded across 19 EU countries, including Ukraine, Russia and Turkey.
When does SCA come into force?
The deadline for SCA compliance has been delayed by 18 months with an agreed phased roll-out plan to move the UK to full compliance by 14 March 2021. The deadline for businesses to enact Strong Customer Authentication (SCA) was originally the 14 September 2019. However, on 13 August 2019, the Financial Conduct Authority (FCA) stated enforcement would include a phased 18-month implementation.
How will SCA affect my customer payment journey?
In short, it’s going to be a bit more complicated. Until now, authentication was only required on an exceptional basis where the risk of the transaction was regarded as “high”. You would find yourself being transferred to a 3D secure gateway, for example, and asked to plug in additional information. This is commonly known as a “step up”. After 14 March 2021, additional authentication will be the new default. All qualifying transactions will be required to be “stepped up” unless an exemption applies. As the UK moves towards full compliance by March 2021, it is anticipated that 95 per cent plus of transactions will require a step-up.
Exceptions to SCA requirements
In a “card present” scenario, the convenience of contactless at point-of-sale would remain for low-value transactions (less than €50 and the UK limit is £30). Chip and PIN will also remain as the common practice in the European Economic Area when customers are present for values above €30.
What happens if I ignore SCA?
The Financial Conduct Authority has said it will not prosecute companies for not already meeting Strong Customer Authentication requirements following the decision to extend the original September 2019 implementation deadline.
However, any business that fails to comply with SCA after 14 March 2021, will find itself subjected to full FCA supervision and possible enforcement action as appropriate.