As part of the European Union’s Revised Directive on Payment Services, Strong Customer Authentication (SCA) is integral to all businesses. Complying with the policies set out by the initiative should, therefore, be at the forefront of merchants’ minds.
On September 14, 2019, new obligations for online payment authentication went into effect as well, and businesses should ensure that payments across the EU are not only secure but easy and efficient. These obligations are expected to be fulfilled by December 31, 2020.
This post provides a guide to help merchants comply with the new SCA standards.
Firstly, it is important to know how to authenticate a payment. At the time of writing this post, the most popular method of authentication for online card payments is through the use of 3D Secure. Based in XML, 3D Secure adds an additional layer of security that occurs after a cardholder checks out.
For instance, during the process of making an online purchase, a customer would be asked by their bank to give additional information. This information may come in the form of a one-time code that is sent to the customer’s mobile phone. Another option for authentication is through a fingerprint if the customer is using a mobile banking application. This ensures that the customer’s identity is verified, as well as their consent to the transaction.
As for other methods of authentication, Google Pay and Apple Pay already have their own means to ensure that customers can make secure online purchases. For instance, payments typically require either a password or a fingerprint to verify one’s identity.
It should be noted that there are exemptions to SCA. For instance, payment providers can request exemptions during the payment process. What happens next is the customer’s bank would get the transaction request, assess the level of risk, and decide whether or not to approve the exemption.
Requesting this exemption is useful when it comes to the flow of customer checkout. This is because the extra authentication steps may put off a customer during the checkout process. Therefore, having exemptions, especially for low-risk payments and purchases, may reduce the customer drop-off rate, as well as lessen the tension between a customer and the business.
Another exemption to take into account is when transactions are below €30, which are considered as low value. However, it should be noted that if such exemptions occur five times since a customer’s last successful authentication, then a bank will need to request authentication. This also applies if the total sum payments that were previously exempt exceeds €100. Each customer’s respective bank has the responsibility to track down the number of times exemptions have been used, as well as decide whether or not to apply means of authentication.
When it comes to recurring payments, SCA is required for a customer’s first payment. Commonly used for subscription-based services, this exemption can help businesses and customers complete transactions at a faster rate.
Another exemption to take into account would be the case of corporate payments. For instance, when business travel expenses are made by an agent, payments can be made using virtual card numbers that are used in the travel industry.
As a business owner, it is integral to also understand that it is the issuing bank that holds the decision to proceed with an exemption or not. When an exemption request gets denied, for example, a customer would be asked to take those extra authentication steps in order to fully comply with SCA. A common solution for this would be to preemptively have authentication during the checkout process.
At Merchant Broker, we are dedicated to helping businesses both succeed and comply with SCA. To contact Merchant Broker and learn more about how our products can help, email firstname.lastname@example.org or call 1-888-668-0733.