The Second Payment Services Directive, also known as PSD2, has been in force for a few years and regulates payment services throughout the European Union (EU) and European Economic Area (EEA). Among the Directive's main objectives are a safer and more innovative framework for payment services and a higher level of consumer protection.

One of the key provisions introduced by PSD2 was a set of security requirements for electronic payment processing, which includes the so-called “strong customer authentication” (SCA). SCA rules have a significant impact on the lives of online businesses and consumers.

What is Strong Customer Authentication (SCA)?

SCA is a requirement outlined in the PSD2 to make electronic payments safer. It's a process designed to authenticate the user's identity as part of the payment transaction to purchase goods or services.

In other words, SCA requires that customers prove their identity before proceeding with online payment. SCA rules were implemented to mitigate the risk of fraud and protect customers' funds and personal data.

Who falls under SCA rules?

SCA rules affect the EEA and the United Kingdom (UK), so its scope is limited to online EEA and UK payments. SCA rules were officially implemented in the EU in 2020 and in the UK in 2022.

If your online business offers services or products to the EEA or UK regions and both your company and the cardholder's bank are within the EEA or UK regions, then it is likely that you are subject to SCA rules. Note, though, there are some exceptions. Below you can find more information where this is the case.

What is the SCA process, and what do online merchants need to do to comply with them?

Before processing electronic payments, e-commerce businesses (and payment service providers) must verify if a potential or existing customer is who they claim to be.

Before SCA, payments were authenticated using just one identification component, such as a password. Now, businesses must use two of the following components for authentication:

  • Knowledge (something only the customer knows) – a password, PIN, or a secret fact/answer.
  • Possession (something only the customer has) – a mobile phone, card reader, smart watch, smart card, or other device evidenced by a one-time passcode.
  • Inherence (something inherent to the customer) – fingerprints, facial recognition, voice patterns, DNA signatures, or iris format.

If your customers cannot provide at least two of the above elements, their payment will probably be declined by the card issuer or bank and the transaction will not be completed.

Note that the relevant financial institution carries out authentication SCA itself (e.g., your customer's bank), but your e-commerce business must be equipped to operate in an SCA environment. Several payment technologies can be added to your payment gateways to ensure compliance with SCA. One popular solution is the 3D Secure 2.0 online authentication, introduced by EMVCo, which is overseen by six major card schemes (American Express, Discover, JCB, Mastercard, UnionPay and VISA).

Always connect with payments technology teams to develop an effective payment solution strategy for your business and ensure SCA compliance. Likewise, inform your customers about relevant changes and walk them through the information they must provide (don't ask for more information than is necessary) to ensure they are fully informed about the steps.

What transactions are affected and what exceptions apply?

SCA applies to “customer-initiated” online and contactless offline payments, so most card payments and all bank transfers require SCA.

Specific types of low-risk payments may be exempted. Exemptions include (but are not limited to), recurring direct debits, mail order/telephone order transactions, low-value payments (equal to or below €30), and transactions with trusted beneficiaries.

What if e-commerce business don't implement SCA rules?

Recent data from Barclaycard Payments shows that UK retailers have lost out on £130m worth of sales due to not being fully compliant with SCA rules. Let's say a customer wants to buy a product from you, and the bank requests authorisation in compliance with the SCA. If your payment gateway does not support this or you do not request such information from the consumer, the transaction will be completed.

A high number of declined transactions may give rise to loss of revenue, consumer complaints and reputational damage (as well as fines, depending on the situation). So, online businesses must adhere to SCA rules, or they will risk customer purchases being declined.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.