Explained: Strong Customer Authentication (SCA)

Strong Customer Authentication is part of the revised Payment Services Directive (PSD2) that came into force in 2018. PSD2 outlines that payments are to be made more secure and that platforms need to be open for integration with third parties. SCA specifically, refers to the way in which payments are made more secure. 

By the end of 2020, online shoppers will be required to verify their identity by sharing two out of three of the following elements:

• Something they know (password, pin, secret fact)
• Something they own (phone, wearable, hardware token)
• Something they are (fingerprint ID, facial ID, voice ID, retina scan)

SCA adds friction 

So what does SCA mean for business? SCA makes payments secure and gives businesses a leg up in the battle to eradicate fraud. However, SCA also adds friction to the shopping experience. For some users, learning new tricks like using biometrics at checkout can prove challenging.

SCA is not always necessary

Luckily, there are various exceptions to the rule. The following are the most common:

• Transactions (partly) outside the EEA
• Low transaction value
• Low transaction risk
• Trusted beneficiaries

The following transactions are excluded from SCA as they fall outside the scope of the regulation:

• MOTO: Transactions completed over the telephone or via mail order.

• MIT: Merchant initiated transactions (MIT) like recurring payments or subscriptions.

Frictionless flow and chargeback liability shift

PSD2 also includes provisions that allow merchants to minimize the blow of SCA to the consumer experience. One such provision is ‘frictionless flow.’ Frictionless flow allows SCA measures to be bypassed. In other words, eligible merchants will be able to offer their consumers a checkout experience without any added friction. Frictionless flow can only be applied to transactions that meet certain criteria; e.g. the size of the purchase in relation to the fraud rate of the merchant (acquirer).