What is Strong Customer Authentication (SCA)?

Seb

· 22nd November 2021·WooCommerce, Online payments

Estimated read time 10 minutes

Excerpt

Strong Customer Authentication helps to prevent credit card fraud. Learn everything you need to know in this article.

What is Strong Customer Authentication (SCA)?

There’s been plenty of progress made in the area of customer fraud in recent years. Some of this progress has come from technology companies, some of it has come through legislation. In the latter category, we have Strong Customer Authentication, which is commonly abbreviated as SCA. The goal of SCA is to reduce fraud and to make payments, both offline and online, more secure.

In this blog, we’ll look at the ins and outs of SCA, including what it is, the benefits that it brings, which merchants it applies to, and more.

What Is Strong Customer Authentication?

SCA essentially works to reduce fraudulent payments by requiring additional checks when someone pays with a credit card. There are three ways to do this; to meet the requirements set out by SCA, merchants must use at least two of them.

When making an online or contactless payment (above a certain value), the merchant must ask for additional proof of identity by asking for:

  • Something that the customer knows (such as a pin code)
  • Something that the customer has (a mobile phone; a security code sent via SMS)
  • Something that the customer is (a fingerprint).

Banks will soon have to deny transactions from merchants that don’t meet these criteria.

The Background

SCA is a European Union initiative. The goal was to make it more difficult for fraudulent purchases to occur and all-around bolster customer faith in eCommerce. The legislation was originally supposed to come into effect in September 2019, but given the challenges that credit card companies had to overcome to get ready for the new rules, a transition period was introduced. There was a lot of confusion surrounding to whom the new rules would apply and who would be responsible for implementing them. But the broad goal always remained the same -- the legislation would make payments more secure.

The Benefits of SCA

There are plenty of benefits to SCA. While from a vendor point of view, it might seem that the only benefits are for customers, this isn’t the case. For one, it reduces instances of fraud, which means fewer chargebacks. Second, it helps to bolster customer faith in your business. While you might lose out on some payments because of the extra requirements, it’s unlikely to be many -- and many that you do lose out on will have been fraudulent in the first place. SCA also places the burden of responsibility on the credit card companies rather than the merchant.

When Is It Necessary?

Not all payments are subject to the requirements of SCA. However, a significant number are. It all depends on who initiated the payment. SCA applies to customer-initiated payments. So if a customer has to get their wallet out to make a payment to you, then that payment will be subject to SCA. If a merchant is taking a payment via direct debit, then they won’t apply.

Do You Need SCA?

It’s important to remember that SCA is a European Union initiative. If you’re working outside of the European Union, then the rules won’t apply (for now). So if you’re based within the European Economic Area, serve customers in the EEA, and accept debit or credit payments, then you’ll need to be ready for SCA.

How Are Card Payments Authenticated?

There are various changes that’ll become mandatory with the implementation of SCA. In general terms, it’ll affect your checkout workflow.

In the first instance, the customer will do what they’ve always done -- enter their credit card details and their contact information. From there, the payment processor will detect whether it’s necessary to perform additional checks. If they are, then the customer will be prompted to provide more information. What information that is will depend on the bank -- it could be a one-time passcode, BioMetric Id, or something else.

After the customer has provided those details, the payment will be complete. How this process works in practice will depend on the bank, card network, and more -- but broadly speaking, the process will look something like the above.

Are Any Payments Exempt From SCA?

SCA doesn’t apply to all payments. Ones that are considered to be “low risk” are exempt. However, the payment provider must make a request to the bank that the payment doesn’t require additional checks. Once the bank receives this, they’ll assess the risk, and if it’s low, then the payment will go through. All of this is automatic and thus fast. In order for the exempt request to be approved, the payment provider must have a low overall fraud rate:

  • 0.13% for transactions under €100
  • 0.06% for transactions under €250
  • 0.01% for transactions under €500.

SCA applies to offline payments too. In instances where the value is under €30, no extra authentication is required. Recurring billing (such as subscriptions) are also exempt.

SCA And WooCommerce

If you have a WooCommerce account, you can get ready for SCA by looking to see the readiness of your payment gateways. Most of the popular payment gateways (including the stripe payment gateway will be ready for SCA, but it’s always a good idea to check the status to ensure that you’re ready. You may need to configure whichever plugin you use to bring it up to speed, but that should be easy.

Conclusion

SCA has been a long time coming, but now we’re beginning to feel its effects. Though it’s mildly inconvenient for merchants, ultimately SCA helps to bolster customer faith in eCommerce and helps to reduce instances of fraud, which can be detrimental for everyone involved. Cyber crime has been an ongoing -- and steadily increasing -- issue for some years now, and this is just one of several efforts to combat the issue.

If you’re a merchant that needs help getting their WordPress website ready for SCA, then be sure to get in touch with us here at Fixed. We’re considered industry leaders in fixing WordPress related issues, and have bags of experience that can help to get your website up and running. Get in touch to learn how we can help you.

Seb
Seb de Lemos