Why Strong Customer Authentication (SCA) Is a Must in the European Economic Area (EEA)?
The adoption of digital business and digital technologies has been rapidly increasing over the past few years. Unfortunately, this rapid implementation of digital services has hugely increased enterprises’ exposure to phishing and other attacks— especially in payment tractions. That’s where, secure user authentication is critical. Strong Customer Authentication (SCA) is a step in that direction in the European Economic Area (EEA).
What is Strong Customer Authentication?
According to UK Finance, Strong Customer Authentication (SCA) is a new set of rules that will change how consumers and business customers confirm their identity when making purchases online to help further protect them from fraud. Following its implementation, consumers shopping, or banking online will often need to undertake an extra step to confirm their identity. For example, the card issuer or provider (for example a bank) may use one of a number of ways to verify a purchase or login, such as a passcode via text message, a phone call to the consumer’s landline, the use of a card reader or the use of a smartphone app. Under the new rules all parties are required to make the necessary changes to enable consumers to authenticate their actions in a manner compliant with the underlying regulation.
Why SCA Was Introduced?
SCA rule was introduced to digital payments in order to provide further protection to customers.
UK Finance has explained it in its communication…
Under the Payment Service Directive 2 (PSD2), Strong Customer Authentication (SCA) is required where a payment service user (customer) initiates an electronic payment transaction.
However, in the UK the Financial Conduct Authority (FCA) provided a longer lead-time for enforcement, due to the complexity of implementing SCA.
The aim was to ensure all parties moved towards full compliance in an orderly manner thus avoiding negative impacts for both consumers and merchants.
The new enforcement date is 14 March 2021 in the UK and 31 December 2020 across the rest of the EU. As a result, UK card issuers will be required to decline all non-SCA-compliant transactions after 14 March 2021.
All merchants, acquirers, gateways, and issuing banks or payment service providers must be ready to support SCA from this date, to avoid consumers experiencing declined e-commerce transactions. The FCA has confirmed that there will be no further extensions to this deadline. In order to avoid a loss of business, we encourage all parties to read this communication and to take action.
Who does this apply to?
As mentioned earlier, it applies to merchants, acquirers, gateways, and issuing banks or payment service providers. You must update your SCA integration if you fall in the following categories:
- You are operating your business in the European Economic Area (EEA)
- You make transactions/payments concerned with connected accounts based in the EEA
- You are serving your users/customers in the EEA
- You accept payments through credit or debit
How to update your integration for SCA
The process of integration SCA is a bit technical as it involves payment gateways APIs, integration/implementation, and testing. Thus, you first need to identify your transaction workflow; second, you need to determine whether it is a one-time payment, recurring payments, or payments with separate authorization rules. Based on these factors, your new integration path is going to be built. This also involves making server-side and client-side changes. Last but not least, you need to test and verify whether updated SCA integration accurately handles 3D Secure.
Strong Customer Authentication (SCA) is critical. If you fail to act timely, it can adversely impact your business – thus, takes necessary actions as soon as possible.