Be Strong Customer Authentication (SCA) ready – act now

4-minute read

Strong Customer Authentication (SCA) has the potential to disrupt the consumer shopping journey. That means companies that take payments online need to make changes. Barclaycard Business’ Senior Strategy Manager, Jasmine Wu, tells us more about what SCA is and what you need to do next.

Strong Customer Authentication, SCA Deadline

As digital technology has transformed the way we shop and do business, the regulators across Europe and the UK have sought to bring in legislation that adapts to modern payment processes.

Cybercrime and eCommerce fraud have soared, and so the European Union’s revised Payment Services Directive (PSD2) was introduced, to protect individuals and businesses when they pay online. Strong Customer Authentication (SCA) was a part of this, specifically designed to make online payments more secure.

Originally due to come into force in September 2019, the SCA deadline was extended due to a lack of readiness across Europe. Covid-19 led the Financial Conduct Authority (FCA) to further extend the deadline for the UK, to March 2022.

There are now only a few months to go before checks begin for UK transactions, so businesses must urgently build, test and deploy a compliant solution. What’s more, for firms that trade with Europe, SCA came into force on 31 December 2020 for the rest of the European Economic Area (EEA).

What is SCA?

SCA requires businesses to use two independent authentication elements to verify online payments. These include something the customer knows (such as a password, PIN, or secret fact), something they have (such as a mobile, wearable device, smart card, or token) and something the customer is (such as a fingerprint, facial features, voice pattern, or iris scan).

The timeline so far

From February 2021 – UK issuers began randomly checking for correct flagging of transactions, such as Mail Order and Telephone Order (MOTO), exemptions and Merchant Initiated Transactions (MIT).

From 1 June 2021 – issuers increased the frequency of requesting SCA on non-compliant transactions, as we drew closer to the UK deadline.

This means that merchants were advised to be technically and operationally ready by 31 May 2021, or risk being soft declined i.e., the issuing bank requesting SCA on online transactions. If merchants are not ready with 3D Secure (3DS), this soft decline would end as a hard decline, which is when the issuing bank rejects the transaction. Either scenario could lead to customer frustration and loss of sales.

Merchants need to have 3D Secure (3DS) in place to continue taking online payments effectively

Having SCA exemptions in place is also highly recommended as they can reduce friction in a compliant manner. These exemptions are defined based on the level of risk, amount, recurrence, and the payment channel used for the execution of the payment. However, as exemptions bring fraud liability to the merchants, it is vital that they are used with adequate safeguards alongside a strong fraud management tool, to minimise the chance of losses due to fraud.

Strong Customer Authentication, SCA Deadline

What should companies be doing now?

If you’re an online merchant, accelerate your implementation and activate 3D Secure (3DS) version 2 as soon as possible. Although 3DS version 1 is compliant, it is scheduled to be discontinued in October 2022. Leading up to that, schemes are incentivising the use of 3DS2 with fee changes or removal of liability1. 3DS2 improves upon the many shortcomings of 3DS1 and offers enhanced security and the diversity of user journeys, one that better reflects the realities of today’s online and mobile world.

3DS2 is essential for trading in the post-PSD2 world and it can take time to put in place, depending on your business’ complexity. My advice is to accelerate the implementation now and activate it as soon as possible. Don’t underestimate the time needed for building, testing and fine-tuning, or it could have the potential to negatively impact on customer experience and return high decline rates if you delay. So, act now.

Four steps to SCA success

  1. Implement and begin to use 3DS – ideally 3DS2
    • Work with your payment gateway provider or specialist to revise new data you may need to collect and test the non-mandatory data in 3DS2.
    • Test your 3DS2 solution in production.
  2. If applicable, flag ‘out of scope’ transactions correctly to avoid preventable declines, particularly for Merchant Initiated Transaction (MIT) and Mail Order Telephone Orders (MOTO).

  3. Ensure your gateway can re-route transactions back to 3DS after a soft decline, to prevent a hard decline.

  4. Find out more about our solution (Barclaycard Transact) and balancing fraud prevention and the customer journey.

SCA (as part of PSD2) doesn’t mean online businesses need to sacrifice frictionless customer journeys for the sake of fraud prevention. With optimisation in mind, we developed Barclaycard Transact. It’s a solution that’s underpinned by state-of-the-art fraud tools and uses real-time analytics to deliver instant and optimised decisions on transactions, including use of acquirer TRA exemption. It means that customers can still enjoy a smooth checkout journey if their transactions are identified as low risk, while only risky transactions are authenticated, and rightly so.

[1] Mastercard scheme fees increased for 3DS version 1. Visa will begin to allow Issuers to gradually stop supporting version 1 from October 2021, hence fraud liability would be moved to merchants using version 1.

Need help with Strong Customer Authentication (SCA)?

Need help with Strong Customer Authentication (SCA)?

Find out more about the UK Ramp Up roadmap (PDF) as published by UK Finance and Barclaycard Transact.

Or request a call back from one of our payments specialists so we can help you protect your business from fraud, keep your customer details safe, and offer online shoppers an easy checkout experience.