Strong Customer Authentication

The European Bank Authority (EBA) has recently decided that the official deadline of mandatory Strong Customer Authentication (SCA) will go into effect on the first of January, 2021 (previously 14th of September). As part of the updated PSD2, this regulation will be initiated to improve security in the payment space. This article sets out to inform merchants about the requirements of SCA and how it may impact the way online consumers authenticate themselves.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) must be used for all remote electronic transactions – unless an exemption applies. The introduction of SCA aims to strengthen the authentication process of online consumers. This new European regulation is supposed to reduce fraud and increase the security of online payments. In particular, payments will need to be accepted with at least two authentication factors.

In total, there are three different authentication factors set out by Strong Customer Authentication:

  • Something the customer knows (e.g. password or pin)
  • Something the customer owns (e.g. phone or hardware token)
  • Something the customer is (biometric elements)

For example, when a consumer completes a payment via phone, he/she needs to use something owned (the phone) and needs to confirm the payment with something he/she is (fingerprint) or something he knows (the app pin). Currently, various payment methods already comply with SCA’s two step-verification and if this is not the case, MultiSafepay is able to provide a solution.

When is SCA applied and which are the exemptions

In general, SCA applies to online transaction initiated by consumers with an amount higher than 30 euros. Nonetheless, there are many payment methods already in line with SCA and certain payment methods that are exempted. For example, direct debit transfers, payments via invoice, recurring payments (subscription based) and pre-payments do not require Strong Customer Authentication and need no further action.

What technologies can be used

There are different technologies that help merchants adding security layers (that are in line with SCA) to credit card payments. For example, MultiSafepay offers technologies like tokenization and 3D Secure  to all its merchants by means of in-house developed plugins and API’s. Thanks to these technologies, the consumer can securely store credit card data for repeat purchases after the initial payment. If you are interested in our security technologies for your webshop, do not hesitate to contact our payment experts!

Roadmap towards PSD2

At the moment, MultiSafepay is already compliant with SCA requirements, however, we will be continuously monitoring and improving to include potential PSD2 updates. Mainly in terms of applying applicable new exemption rules and incorporating the various industry SCA updates into our services (such as new 3D 2.0).
Current projections are that issuers will increasingly start to stop accepting non secure transactions, starting from September. This will most likely ramp up during the year, with issuers no longer accepting non-secure transactions at all at the end of the year.
This will not affect your current way of processing payments, as transactions are already processed by means of SCA. As the industry adopts new standards and exemption rules, MultiSafepay will be adapting SCA configurations for an optimal conversion rate.

Disclaimer: the information in this article has a general informative purpose. Given the changing nature of the law, rules, regulations and information in general, as well as the risks related to electronic communication, there could be delays, omissions or inaccuracies in the information contained in this article. As a result, the information in this article should not be used as a consultation with a professional consultant. We recommend that you consult the competent authority before taking any decision or action. While we have taken the greatest possible care in compiling the information released in this article, MultiSafepay cannot guarantee the completeness, timeliness and / or accuracy of the information. As a result, MultiSafepay accepts no responsibility for direct or consequential damages resulting from the use of, reliance on or actions taken based on information provided in this article.