Lots of customers have been asking us about SCA and what it means for them. This article explains what it is, and what you might need to do to prepare.
SCA stands for Strong Customer Authentication. It’s is a new regulation that applies to all websites that make sales and take payments online. The new SCA rules take effect on 14th September 2019 and they require merchants to use multiple methods of verifying their customers’ identities. Importantly, if you don’t comply with the new requirements, your sales could be affected, so it’s important to acquaint yourself with the new rules and make sure that your website is compliant.
Starting in September, all businesses accepting online payments must use two independent authentication methods to verify that a customer is who they say they are.
What kinds of authentication are acceptable?
The SCA rules allow for three different authentication methods – something the customer knows, something the customer has, and something the customer is. To succeed, a transaction must use two of the three.
What does that mean in practice?
- Ask for a piece of information only the customer knows, like their password or the answer to a security question.
- Send verifying information to something the customer controls, e.g. a push notification sent to their mobile phone.
- Using a physical identifier unique to the customer, like their fingerprint or Face ID.
What do I need to do to prepare for sca?
Most payment gateways will use something called “3D Secure 2” – an update to the 3D Secure system – as their main method of complying with SCA. During checkout, the payment gateway prompts the customer to provide the appropriate additional authentication elements. Their order can only be completed once they do that successfully.
Note that some payment methods, such as Apple Pay, already have these elements built in, so they are already SCA-compliant.
Does this apply to businesses outside of Europe?
Yes. SCA applies whenever the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all European Union member states as well as Iceland, Liechtenstein, and Norway. Note that the physical location of the business accepting the payments does not matter.
What happens after 14th September 2019 if I am not compliant?
If your online store’s payment gateway is not SCA ready, payment methods will most likely be declined during checkout.
Are any transactions exempt from sca?
Yes they certainly are. Low value transactions (below €30) will usually not require SCA. However, SCA will be required after five exempt transactions, or if the total amount spent by the customer exceeds €100.
What about recurring subscriptions?
Yes, SCA applies to subscriptions, too. After September 14th 2019, your customers will have to authenticate the first payment on their subscription. Exemptions are granted for recurring charges in many cases, including those that began before September 14th, although ultimately it is the customer’s bank that determines whether to require SCA or accept the exemption.
What Payment Gateways are ready now?
Contact your payment gateway directly to inquire about SCA. If your WordPress website uses a payment gateway plugin, check with the developer to see whether they will be issuing an update to ensure SCA-compliance. If not, you might need to think about switching to a new plugin (or a new payment gateway)!
what if I am an Outerbridge support package customer?
The good news for Outerbridge support package customers is that you don’t have to do anything; we will ensure your website is ready for the changes and this service is included in your support package subscription.
how can I find out more about sca?
More detailed information about Strong Customer Authentication can be found here. If you need help with your WordPress website and making sure that it can still accept payments after the 14th of September, please feel free to contact us.
This article should not be considered as legal advice. If you have questions or concerns about how your business is impacted by regulations and laws, we strongly recommend consulting with a legal professional.