Strong Customer Authentication (SCA) is a new method of payment security that is being brought in to add extra layers of security to electronic payments and prevent checkout fraud which was responsible for $20 billion of ecommerce losses according to Juniper Research.
SCA regulations will affect the European Economic Area (EEA) and the UK and will require banks to carry out additional checks when consumers make payments to confirm it is really them.
In order to perform the check, a bank may need to ask consumers for two forms of identification which could include a password or PIN, a one-time passcode (OTP) sent to a device they have with them or another form of ID such as a fingerprint or face scan.
“Fraud is a growing problem, with criminals stealing more than £750 million in the first half of 2021 alone,” UK Finance managing director of payments and innovation Jana Mackintosh said.
“That is why it is more important than ever that additional protections like Strong Customer Authentication are put in place.
“For retailers, implementing SCA will provide customers peace of mind that payment processes are more secure.
“The industry and stakeholders have worked tirelessly to get ready for this change and we encourage any retailers who have not yet implemented SCA to act as soon as possible to ensure the new protections are available to all.”
The SCA deadline was initially March 2021, however the Financial Conduct Authority agreed to delay
The deadline for SCA was originally March 2021 but the FCA agreed to a delay to 14 March 2022 due to Covid-19.
The FCA has stated that there will be no further extensions to this deadline.
When will it affect my business?
SCA will come into force in the UK by 14 March 2022 and retailers must adhere to the new regulations or risk customer purchases being declined.
From 18 January card issuers will start declining some non-compliant transactions, with all non-compliant transactions being declined after the 14 March deadline.
Retailers and businesses are advised to ensure they are fully prepared for the changes by 18 January as the regulations sill be stepped up from this date.
How does my business implement the change?
The company that provides your checkout solution or business bank will be able to “switch on” the technology required to perform the checks which are required.
If a customer cannot provide two different forms of identification, there payment to you may be considered non-compliant and declined.
Leading payment provider Visa said: “In our view the best technology available for meeting SCA requirements is called “EMV 3D Secure”, which could also make it easier for your customers to pay on mobile phones.”
Are there any SCA exemptions?
The most relevant exemptions for SCA are low-risk transactions which can be determined by payment providers.
Exemptions may only be possible if the payment provider or bank’s overall fraud rates for cards do not exceed the following thresholds:
- 0.13% to exempt transactions below £83
- 0.06% to exempt transactions below £208
- 0.01% to exempt transactions below £417
Payment provider Stripe said: “In cases, where only the payment provider’s fraud rate is below the threshold, but the cardholder’s bank is above it, we expect the bank to decline the exemption and require authentication.”