Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) is a new payment requirement, introduced by the EU Revised Directive on Payment Services (PSD2), to make online payments more secure and to reduce fraud. SCA requires an additional proof of identity from your customers during the payment transaction, known as two-factor authentication (2FA). The authentication must use at least two of the following:
- Knowledge – something the customer KNOWS (such as a password)
- Possession – something the customer HAS (such as a pre-registered smartphone)
- Inherence – something the customer IS (such as a fingerprint)
When Does SCA Apply?
SCA applies to online payments within the European Economic Area (EEA). There are exemptions to SCA when a transaction risk is low. In addition, some transaction types are out of the SCA scope.
SCA scope is defined by 3 factors:
- Geography: SCA is required when both the acquirer and the issuer are located within the European Economic Area (EEA). However, SCA can still be applied when only one of the two is located within the EEA as SCA is always performed by the EEA issuer and supported, if possible, by the non-EEA acquirer. For example, if a customer uses an EEA card issuer and a merchant uses a non-EEA acquirer who supports SCA, the transaction will be authenticated and validated using SCA.
- Payment Method: SCA primarily targets customer-initiated transactions (CIT), where the customer uses an online payment Online payment stands for a group of payment options that do not require the customer to submit the payment in an extra step after submitting the order. With an online payment option, the product is delivered almost immediately (as soon as the payment is processed which usually does only take a few seconds). method. Most credit card and debit card payments, as well as all bank transfers are subject to SCA. Payment options like PayPal, Apple Pay, and Amazon Pay are also within SCA scope. Cleverbridge can’t measure how these payment options will affect the customer experience, as customers are redirected to the respective apps to execute payments.
- Type of Billing: How and when the payment is processed is relevant to the SCA scope. One-time purchases and initial transactions for subscriptions and recurring payments require SCA.
The customer’s location is of no consequence to SCA. If a customer is located outside the EEA and uses an EEA card issuer to execute electronic payments, that card issuer will apply SCA for transactions that require it.
There are some out-of-scope transactions to SCA. The most relevant ones are:
- Merchant-initiated transactions (MIT): A merchant-initiated transaction is a payment taken on an agreed upon date with the payer’s consent and is initiated by the merchant collecting the payment. If a transaction is merchant-initiated, both the fixed and the variable payments will be exempt from SCA.
- Inter-regional transactions (one-leg-out transactions): A transaction where either the issuer or acquirer is located outside the EEA.
- Anonymous cards: A transaction processed by using an anonymous card can only be identified by the issuing bank, not by the customer.
The following transactions are exempt from SCA:
- Low value transaction: Transactions under €30 are exempt from SCA. If the total amount attempted on the card without strong authentication is higher than €100, or if five consecutive transactions have been conducted without SCA, then SCA is required.
- Low risk transaction/transaction risk analysis (TRA): The ability for a payment to be considered low risk is based on the average fraud levels of the card issuer and of the acquirer processing the transaction:
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions below €250
- 0.01% to exempt transactions below €500
- Successfully renewed subscription or recurring transactions: Subscription or recurring transactions with a fixed amount are exempt from the second transaction onwards.
- the subscription billing interval is updated.
- the payment information details are updated.
- Trusted beneficiaries: Customers can assign businesses to an acceptlist of trusted beneficiaries. Acceptlisted merchants are exempt from SCA.
- Secure corporate payments: When the transaction is initiated by a legal person, for example a business rather than a consumer, and it is processed through a secured dedicated payment protocol, the transaction is exempt from SCA.
Subsequent payments for subscription or recurring transactions are subject to Strong Customer Authentication when one of the following factors applies:
How Is Cleverbridge Managing SCA?
As your ecommerce and payment partner, Cleverbridge takes over responsibility for compliance with SCA requirements. We made some major changes to our platform and processes to ensure transactions are compliant:
- We have implemented a Cardholder-Initiated Transactions (CIT)/Merchant-Initiated Transactions (MIT) framework so that recurring transactions are out-of-scope, and no SCA is required.
- We are utilizing an up-to-date Bank Identification Number (BIN) database to identify the cards where the issuer is based outside the EEA, or anonymous cards where no SCA mandate is required.
- We use preferred acquirers with low fraud rates to utilize TRA exemption for transactions below €100.
- We will continue to track any changes in requirements for SCA exemptions to ensure that customers can still enjoy easy shopping experiences by applying these exemptions in the best way.
3D Secure is an authentication protocol for online credit and debit card transactions that complies with SCA standards. 3D Secure 2.0, the latest revision to 3D Secure, was specifically designed to reduce friction in the transaction process and to improve order conversion. Starting January 1, 2021, Cleverbridge will handle 3D Secure 2.0 authentication on hosted checkout pages for the European Economic Area (EEA).
SCA Flow (3D Secure)
The following scenario shows an SCA flow applied to credit card transactions. The required two-factor authentication is executed through possession of device and password verification. On the hosted checkout page, SCA is triggered through the following steps:
- Customer introduces credit card information and clicks Next.
- Customer reviews payment data and clicks Buy Now to complete the purchase. The SCA page appears and starts the multi-device checkout process.
First Factor Authentication
- The customer's card issuer challenges the cardholder with an authentication request. The cardholder receives a push notification on the registered device.
- The cardholder opens the push notification and triggers the card issuer's application to open the authentication page.
- The cardholder reviews the transaction details and clicks Confirm or Decline. By clicking Confirm, the cardholder triggers the second factor authentication.
If the SCA flow is interrupted, the cardholder instantly receives a 3D-enrolled email from Cleverbridge. The email invites the cardholder to complete the authentication process and provides information about the product. In case the customer does not complete the authentication after receiving the first 3D-enrolled email, Cleverbridge sends a second email after 24 hours, and a third email after 72 hours.
Both SCA emails for one-time or initial transactions and recurring transactions contain additional information like the product name, renewal date and price.
If a customer enters a different delivery, billing or licensee contact during the checkout process, the delivery, billing, and licensee address will be displayed as well in the SCA emails for one-time or initial transactions and recurring transactions.
Second Factor Authentication
- The cardholder receives a message notification on the registered device and uses the received password to authorize the payment.
- The registered device accepts the password and verifies the transaction. SCA is complete.
- The customer sees the Cleverbridge confirmation page The confirmation page is displayed after a customer makes a purchase. The confirmation page contains the order confirmation and delivery information. in their browser.
Check out the video below to see the SCA flow for credit card payments.
The following flow charts show the SCA process for credit/debit card payments (3D Secure) in detail:
SCA for One-Time or Initial Transaction (3D Secure)
SCA for Recurring Transactions (3D Secure)
How will 3D Secure impact my checkout conversion?
We can’t foresee how it will affect the conversion because it is ultimately on the cardholder’s bank to decide whether or not to challenge a transaction. However, 3D Secure 2.0 introduces a better user experience that will help minimize some of the friction added to the checkout flow by authentication.
What happens with MITs when the original transaction was before December 31, 2020?
Cleverbridge will flag the transaction as merchant-initiated and will endeavor to "grandfather in" these subscriptions so that they don't require SCA when they come up for renewal on or after December 31, 2020. However, SCA is still required if the customer initiates a payment method change for an active subscription.
With usage-based billing, is SCA required for each re-billing?
As long as the transaction is merchant-initiated and appropriately flagged as such, subsequent charges do not require SCA in most cases, even if the amount varies. Cleverbridge will take care of flagging subsequent re-billings as MIT.
For merchant-initiated transactions, what happens if the transaction amount changes for subsequent transactions? Do they need SCA?
As long as the transaction is merchant-initiated and appropriately flagged as such, subsequent transactions do not require SCA, no matter the amount change. Cleverbridge will take care of flagging subsequent re-billings as MIT.
How can customers acceptlist merchants? Can this process be part of the checkout process?
This process is not considered part of the checkout process. It is part of the app or online banking system provided by the issuing bank that allows you to acceptlist specific merchants.