SCA, or Strong Customer Authentication, is one of the most critical implementations of PSD2 since it is necessary to provide customer ID verification and drastically minimize fraud in online transactions. PSD2 SCA requirements offer a roadmap for businesses to follow in order to adhere to all the rules. It provides an experience that is seamless and secure for its consumers.
To be clear, SCA has two key objectives: ensuring transactions are as safe as feasible while providing the best possible user experience for the end-user.
Strong Customer Authentication’s Timeline
European Union member states implemented PSD2 on September 14, taking SCA along for the process. The final deadline for implementation was set for December 31, 2020. Due to varying levels of readiness and execution, each country’s approach has been distinct.
An extension to March 14, 2022, has been granted to the UK eCommerce and banking industries. Only 44% of companies are qualified for SCA deployments in online retail and eCommerce. While in the United Kingdom, 37% of eCommerce customers had to change merchants to complete their orders.
Two-Factor Authentication Is Now The Standard
Nearly all industries requiring client authentication use Two-Factor Authentication (2FA) because it is the most dependable and secure option. It is also known as Multi-Factor Authentication (MFA) in certain areas.
2FA is used to offer an additional layer of security by reducing the risk of fraud and protecting the sensitive data of purchasers. For instance, if someone obtains the login information for a Facebook account, they can attempt to utilize it and take control of the personal account. Here, two-factor authentication is advantageous, as the hacker has likely employed a device that is not associated with the account.
As a result, Facebook blocks the user’s login attempt while it sends an ID verification message to the registered email address. The hacker’s attempts are thwarted by the requirement to provide two independent pieces of information.
Structural Connectivity
“Remote payment transactions” relate to payments made via the web. To further protect SCA members, TPPs must use “dynamic linkage” to link each transaction to the payment value and receiver specified in the transaction.
For this, the TPP provides the client with a unique authorization number or token. If the receiver or total amount payable is changed, the validation code is rendered invalid, and a new code is required to complete the transfer of funds.
For instance, if a consumer purchases groceries online, the total price of the products in their shopping basket, including all applicable taxes and levies, must be clearly indicated. Customers must also know which food business will be getting the money.
After providing this data, customers can use a code to authorize the transaction. The TPP will only let a transaction proceed if an authorization code is generated for each modification performed.
Some Possible Exemptions For SCA
PSD2 requires strong customer authentication for most online or remote transactions; however, there are a few exceptions. The new legislation may exclude certain low-risk payments from robust consumer authentication. Even if the payment provider requests permission for an exception to be applied, the customers’ bank always has an ultimate say.
7 Most Frequent SCA Exemptions
- A low-risk transaction
SCA may or may not be applied to a transaction based on a real-time risk assessment by a payment provider. This is only allowed if the provider’s or bank’s total fraud rate for card payments is below established standards.
- Payments less than €30
SCA may not apply to a transaction if the value is less than 30 euros. Banks still need verification if the exemption is utilized five times in a row or the total amount of exempted payments reaches 100 euros.
- Subscriptions with a set price
SCA is only applied on the first payment when a consumer begins a fixed-amount subscription. SCA is not required to process recurrent payments made to the same business in the same amount.
- Transactions undertaken by merchants
Saving card payments made when the consumer is not engaged in the checkout process may qualify as transactions started by the merchant, which are not covered by SCA and must be handled separately.
This transaction requires the user to enter their stored card data each time, regardless of how many times they make a purchase. As with any other exception, the bank retains the final say in the process, which should be emphasized.
- Trusted beneficiaries
Customers may be given the opportunity to designate a business as a “trusted beneficiary” during the first verification process for payment. If a company is included in this list, subsequent purchases will not need SCA.
- Phone sales
This sort of payment is categorized as “mail order and telephone orders” and does not need SCA when card data are obtained over the phone. As with any other transaction, it must be appropriately marked, and the bank has the final say.
- Corporate payments
This exception is especially prevalent in the travel business, where online travel agents use corporate credit cards to handle employee travel spending.