SCA is a security requirement for payment service providers operating in the European Economic Area, used with debit and credit cards.
In essence, it asks payment gateways to implement multi-factor authentication for added security, and applies both to face-to-face and remote situations, both in card-present transactions and card-not-present transactions.
Strong Customer Authentication is part of the EU’s Revised Directive on Payment Services (PSD2) and came into full effect on September 14, 2019 – with some extensions granted to countries such as France, Italy and Ireland.
How Does Strong Customer Authentication Work?
SCA asks banks and merchants to frequently – but not always – ask for a combination of two forms of cardholder identification at checkout, involving things the user knows, has or is.
SCA is needed in certain online settings and works as such:
A cardholder wants to buy something.
They input their card number, name, CVV number and expiry date.
A new prompt belonging to the bank pops up, asking them for one of the following:
something they know e.g. a previously set PIN
something they have e.g. their phone, which they prove by entering an OTP received via SMS
something they are e.g. a scan of their fingerprint or picture of their face
If the information matches what is on record, the payment is authorized.
In other words, this approach and legal requirement uses additional passwords, PINs, biometrics and one-time codes to prove that someone who is trying to make a card payment is the legitimate cardholder rather than someone involved in credit or debit card carding and related types of fraud.
This means that for the card purchase authorization to be granted, more than just the basic details found on the physical card needs to be provided by the buyer.
Which Merchants and Payments Does SCA Apply To?
Because SCA is part of the EU’s Payment Services Directive 2 (PSD2), it applies to all payments made and/or received within the EEA.
This means businesses, banks and payment gateways in all EU countries, as well as Iceland, Norway and Liechtenstein. Having been implemented in 2019, PSD2 is also part of UK legislation, so it applies to UK-based organizations as well.
Is SCA the Same as 3-D Secure?
Not exactly. 3-D Secure is a security layer protocol, while SCA is one of its main features – as well as a key requirement of the PSD2 compliance. All of these work to make card payments more secure, each in a different way.
Because it requires the customer to give more details about themselves, SCA is closely tied to the concept of KYC, which stands for Know Your Customer.
Being a legal requirement in certain locales, SCA affects KYC processes. Integrating SCA into KYC can help optimize the customer experience and reduce friction.
Why Is Strong Customer Authentication Important?
Strong Customer Authentication directly works to minimize instances of credit card fraud, including criminals using or testing card details acquired by illegal means such as card cloning.
Also, by authenticating the customer as the cardholder, SCA does away with some instances of chargeback fraud. So, fraudsters have significantly fewer opportunities to commit card-related crimes, while banks, merchants and payment processors are better protected – as are consumers.
Because it is an additional step that customers must take, SCA introduces a certain level of friction into the transaction.
Merchants, especially in ecommerce, are mindful of fiction because prospective buyers who are asked to do what they deem as “too much” in order to make their purchase are prone to cart abandonment and are likely to choose a competitor in the future.
Indeed, consumers tend to speak to friends and family more often about their unpleasant shopping experiences than the pleasant ones, at a ratio of 15 to 11, according to American Express data.
Following all legal requirements, including SCA, and implementing efficient fraud prevention tactics needs to be balanced with user-friendliness and a pleasant, frictionless customer experience for merchants – especially so in the online realm.
EUR-Lex: Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366
Template Lab: American Express Study/Customer Service Steps Up
UK Finance: PAYMENT SERVICES DIRECTIVE 2 AND OPEN BANKING