Strong Customer Authentication (SCA) for Dummies

Strong Customer Authentication (SCA) for Dummies

In case you live in the EEA (European Economic Area) or have customers that buy your products or services from Europe, you may have heard about Strong Customer Authentication and how it can affect your business. Similar to what happened last year with GDPR, PSD2 (Payment Services Directive 2) is a new directive from the EU that not only affects businesses based in Europe, but all internet businesses that sell to European customers. In this article we’re going to see what’s SCA and how it can impact your business starting September 14th 2019.

What is Strong Customer Authentication (SCA) under PSD2?

Strong Customer Authentication is a new normative that will apply for all payments processed in the EEA. This normative triggers when both, the credit card holder’s bank and the payment processor are both in Europe. As most payment processors have a European subsidiary, even if you use American payment processors like Stripe or PayPal, you will be affected by this normative.

When Strong Customer Authentication triggers, your payment processor is obligated to verify the payment with at least two of three verification methods:

  • Something the customer knows (ex. a bank login, a card PIN code)
  • Something the customer has (ex. a credit card, a RSA Token, a matrix card)
  • Something the customer is (ex. the customer’s fingerprint or the customer’s facial features)

Solutions like Apple Pay or Google Pay already have biometric customer verifications placed in hand (like Touch ID or Face ID). For this reason, they work with SCA out of the box. The problem arises with plain old credit card payments.

What’s wrong with credit card payments as we know it?

As we stated, under SCA the user needs to validate at least two of three verification methods. Sadly, credit cards only pass one of these verification methods (the customer knows its numbers), and nothing really confirms the user is actually in possession of the card. Some industry experts and regulators, like BaFin in Germany and Banque de France, even claim that card numbers alone don’t pass any verification under SCA.

So what happens with current credit card payments? How can they pass Strong Customer Authentication?

Accepting credit cards under Strong Customer Authentication

Credit card companies have issued a new standard of the old 3D Secure system, called 3D Secure 2. This new standard is fully compatible with Strong Customer Authentication. Under this new standard, new things will happen behind the scenes when you receive a credit card payment.

  • The credit card processor sends all the credit card information to the issuing bank before starting the charge.
  • Depending on the transaction risk, the bank asks the processor for an additional verification (Under SCA transactions, all payments will have to pass though this additional verification)
  • The payer has to be redirected to the bank’s website to complete the transaction. They will have to be verified by at least two of the three verification methods available.
  • The verification is complete and the payment is approved

So, in summary, all EU transactions will have to be redirected to the customer’s bank to be completed. Then they can log in (what the customer knows) and then use a secondary device like an RSA Token, an SMS or a matrix card (what the customer has).

How does this affect my business?

If you do n0t have customers in the EEA, you will be unaffected as the SCA will not trigger. If you do, you’ll have to take measures.

If you use a payment processor like Stripe, make sure you’re using their new PaymentIntents API. Both Stripe Checkout and Elements are not compatible with SCA leaving your integration obsolete after September 14th 2019. All integrations without SCA compatibility will trigger massive rejections as banks will require this additional verification.

If you use an intermediary solution, like PayForm, to connect to Stripe API, you have to make sure they are fully compatible with SCA. We’re fully committed to make PayForm fully compatible with SCA before September 14th 2019, when this new normative comes into place.

Finally, as payments are turning mobile, consider adding a secondary payment method like Apple Pay, that is a frictionless way to accept SCA-ready payments. We also plan to include Apple Pay and Google Pay support into PayForm before SCA deadline.

TL;DR

Strong Customer Authentication (SCA) will require a redirection to the customers’ issuing bank every time they pay online in Europe. PayForm is the best way to be protected of this new regulation after September 14th 2019.