What is SCA and why does it matter?

SCA stands for Strong Customer Authentication, and it’s a regulatory requirement aimed to increase the security of electronic payment services in the EU and the UK - but what does this mean for your company?

Strong Customer Authentication is a requirement for authenticating online payments that was introduced in connection to the EU’s revised Payment Services Directive (PSD2). Essentially, it requires banks to request additional forms of validation to confirm that our users are who they say they are, through the form of Two Factor Authentication.

Two Factor Authentication will allow the user to confirm their identity with two forms of validation rather than the one that we currently have. In order to satisfy the requirements of SCA, two of the following three measures must be met and provided by the customer in order to complete their payment:

  • Knowledge: Something only you would know (i.e Password, Pin and memorable information)

  • Possession: Something you have (Mobile phone and other devices)

  • Inherence: Something you are (fingerprints, voice recognition etc)

Although there’s an added layer of complexity, there are also many benefits of SCA. Adding an extra layer of security when authenticating the payer’s identity in online banking transactions can reduce the potential for online fraud, reduce costs associated with fraudulent transactions, and increase confidence for consumers using online payments.

What countries will SCA apply to?

SCA will be required where the merchant’s payment services provider and the customer’s bank or card provider are both located in the European Economic Area (EEA). If either is located outside the EEA, the payment services provider is required to use its ‘best efforts’ to apply SCA - but it won’t be mandatory.

One Leg Out (ONO):Payments where only one party is based in the European Union, fall outside of the scope of SCA. This includes all payments where either the merchant/acquirer or the issuer are based outside the EEA.

The UK:Payment services providers operating in the UK have been given a further six months to implement SCA standards for e-commerce transactions. A backstop deadline for compliance of 14 March 2022 now applies.

The US:Importantly, for US based companies, ONO transactions are not subject to SCA. So, US based merchants selling to EU customers are exempt - for now. As the EU's efforts have already spread to other countries, we’ll be keeping a close eye on discussions around SCA in the US. Australia, Turkey, and Mexico have already adopted, or are actively considering, SCA regimes. And should a country subject ONO transactions to SCA standards, it could have knock on effects for US merchants too.

How will this affect my Billsby subscriptions?

Payments of a fixed or variable amount originating from the merchant, where the payment is made with a saved card, such as recurring payments and subscriptions, are out of scope of SCA. This means your customers will only need to go through the 2FA process at the point of sign up, or when they’re updating their payment card.

For now, Stripe will be the only gateway that supports SCA but we’ll be adding SCA for other gateways over the comings months. We suggest that for now, customers based in the EEA use Stripe as their preferred payment gateway.

Where SCA occurs in Billsby:

  • Billsby customers who are within the scope of SCA will need to enable this in Stripe, the SCA supported gateway

  • Two Factor Authentication will only be required when providing payment details for the first time as recurring payments are outside the scope of SCA

  • When a customer updates a payment card, the bank will prompt them to go through the 3DS Authentication process