Ecommerce: Strong Customer Authentication and Payment Services Directive

Strong Customer Authentication (SCA) – a regulation regarding online payments in Europe – took effect in 2019. This regulation aims to reduce fraud and improve security.

If your customers are based in Europe and accept credit cards and/or bank transfers, this applies to you.

The Background

The overarching regulation this falls under is called the second Payment Services Directive (PSD2), which exists to better protect consumers when paying online and make cross-border European purchases safer. SCA applies when the banks used by you (the seller) and your customers (buyer) are both located in the European Economic Area (EEA), however, it may also apply if only your buyer’s bank is in the EEA so even if you aren’t based in Europe, if you have customers based in the European Union (EU) you should prepare for SCA. The decision about whether SCA is applied is made by the issuing bank.

The Process

When a customer (buyer) proceeds to make an online purchase through your store, they will enter their credit card details and then be asked to pass an extra authentication step. This authentication is set by the bank; one method would be to issue a one-time code via text message. Once the customer authenticates, their payment will be processed.

If the bank requires SCA but the customer hasn’t been asked to complete this, the transaction will be declined.

The Set-up

This step is mostly up to the payment gateways and they will adopt processes to ensure customers are providing SCA during online payments.

There are a few things for you to consider as the seller, however. Read the following situations to understand what is expected of you

Stores based outside of the EU

Although SCA regulates the EU, even if you aren’t based in the EU you should consider whether your customers are because this may still apply if they are. The decision is based on the card issuing bank so it’s best to prepare.

Stores based in the EU

SCA will apply when you and your customers banks are based in the EU. Your approach will depend on your payment methods:

Accepting Credit Cards

If using Stripe or Square, as long as you are using one-page checkout your store will be compliant. Read more about one-page checkout here.

If using another platform to accept credit cards or bank transfers, contact the payment gateway support team for guidance on SCA. If your chosen gateway does not comply with SCA, consider switching your payment option to one that does.

Not Accepting Credit Cards

If you don’t accept credit card and customers instead pay via cash or another offline payment option, no action is needed. SCA only applies when credit card is used.

Stores based in the UK

SCA will apply to the UK, however, there was an extension issued for the UK and this has been slowly coming into effect. Full enforcement should come into effect in 2022.