Skip links
An introduction to SCA

An introduction to SCA

The rise of eCommerce and digital payments has brought about new security challenges for financial institutions and businesses. Strong Customer Authentication (SCA) has emerged as a critical solution to address this change. 

A mandatory requirement for all businesses operating within the European Economic Area (EEA) and processing electronic payments,  SCA has also been compulsory for UK retailers with an online presence since 2022.

Strong Customer Authentication in payments

By now, you might be wondering what is SCA or Strong Customer Authentication. SCA is a regulation introduced by the European Banking Authority (EBA) under the revised Payment Services Directive (PSD2) to enhance the security of electronic payments and reduce fraud. 

SCA aims to reduce the risk of fraud by requiring an extra layer of authentication for online transactions that involve using two or more elements categorised as knowledge, possession, and inherence.

What transactions does SCA apply to?

SCA applies to customer-initiated online payments and remote electronic transactions within the European Economic Area (EEA). 

SCA does not apply to face-to-face transactions or payments made using a secure corporate payment solution. Transactions that fall below a certain value threshold, known as the “single transaction exemption,” may also be exempt from SCA requirements. Additionally, SCA does not apply to transactions that have been previously authenticated using SCA.

What is a method of authentication?

A method of authentication constitutes a set of one or more procedures used to verify the identity of a person or a device. 

In the context of SCA Authentication, authentication methods are used to verify the identity of the cardholder making an online payment. 

Some common examples of authentication methods include:

  • Knowledge-based authentication: it involves using something the cardholder knows, such as a password, PIN, or security question, to authenticate the transaction.
  • Possession-based authentication: it involves using something the cardholder possesses, such as a smartcard, token, or mobile device, to authenticate the transaction.
  • Inherence-based authentication: it involves using something inherent to the cardholder, such as their biometric information, to authenticate the transaction.

Exceptions to SCA requirements

SCA requirements do not apply to all online transactions, and several exceptions exist. 

Low-risk transactions are those that have been deemed by the card issuer or the acquiring bank to have a low likelihood of fraud. Transactions under a specified amount are exempt from SCA requirements if they fall below a specified threshold, known as the “single transaction exemption.”

Fixed-amount subscriptions, such as recurring payments or subscription services, are also exempt from SCA requirements. These exemptions are designed to minimise the impact of SCA on the customer experience and ensure a smooth and frictionless online payment process. 

If an SCA exception fails, the payment must be processed in accordance with Strong Customer Authentication (SCA) regulations. This means that the customer must undergo multi-factor authentication to verify their identity. If the customer cannot be authenticated, the transaction will be declined, and the customer will need to start the process again. 

Businesses need systems to detect and respond to SCA exceptions since non-compliance with SCA regulations can lead to significant fines and reputational damage. Additionally, they should educate their customers about SCA so they know the requirements and potential consequences of SCA exception failures.

How does SCA affect businesses?

One important aspect of SCA compliance is ensuring that all payment systems and terminals used by a business are capable of supporting SCA. This may involve upgrading existing point of sale (POS) systems or adopting new smart POS terminals that support SCA.

Businesses can mitigate the impact of SCA on the customer experience by implementing a streamlined and user-friendly authentication process. This could involve using biometric authentication methods such as fingerprint or facial recognition or offering a simplified multi-factor authentication process that doesn’t require multiple steps.

How does SCA affect issuers and acquirers?

Strong Customer Authentication (SCA) has significant implications for both issuers and acquirers in the payments sphere. Issuers like banks and credit card companies are responsible for verifying customers’ identities before approving transactions. This requires them to have robust systems and processes in place to support multi-factor authentication. 

Acquirers, on the other hand, are responsible for processing transactions on behalf of merchants. They must ensure that they have the necessary systems and processes in place to support SCA and that they are able to provide merchants with the tools they need to comply with the regulations.

In response to the implementation of SCA, issuers and acquirers are investing in new technologies and processes to adapt to the new regulations: cloud-based authentication solutions, mobile authentication technologies, and artificial intelligence (AI) systems to support customer verification. 

Implement SCA with Trust Payments

With the support of payment service providers, merchants can support SCA successfully. With a 3Ds2 payment gateway, you can choose from several options that suit your specific needs, ensuring you remain compliant with all the latest payment regulations.

With TRU Security from Trust Payments, your business remains compliant with 3DS 2 regardless of the device or channel you use. We offer an out-of-the-box system to collect card payments immediately, so no complicated setup is required.

If you want to learn more, check out our 3DS2 FAQ, or feel free to contact us today.

Security statement

Security is our top priority at Trust Payments and we strive to ensure that all data is kept secure at all times We keep all customer data safe with AES256 encryption, SSL Certificates, and a minimum of TLS1.2, between your website and our datacentres.

Our systems are scanned quarterly using the Qualys PCI Platform, an independent Qualified Security Assessor (QSA) and approved vendors – Omnicybersecurity (UK) & Forgenix (US) – to ensure compliance with the security requirements of the card schemes.

We follow a number of rigorous security procedures on a daily basis including, but not limited to, continuous monitoring of our perimeter, dark web monitoring, and internal checks to ensure that CIA triad is maintained at all times.

Keep up with the latest in payments!

Fill the form below to sign up to our mailing newsletter.