What you need to know about PSD2 and Strong Customer Authentication (SCA)

What you need to know about PSD2 and Strong Customer Authentication (SCA)

Here we’ll tell you what online businesses need to know about the new regulations, and how we can help. 

The PSD2 deadline of September 14th has passed, but some e-commerce companies still have time to implement SCA for online card transactions (possibly up to 14 March 2021). As such, for those who still need to implement SCA, all of the information below still applies.

The new requirements, known as Strong Customer Authentication (SCA) are being put in place to reduce fraud and make online payments more secure. Once the European regulation comes into effect, online businesses will need to build additional authentication into the checkout flow. 

SCA requires authentication to use at least two of the following:

EU Regulation Requirements (PSD2)

  1. Something the customer KNOWS (e.g. password or pin)
  2. Something the customer HAS (e.g. phone)
  3. Something the customer IS (e.g. face recognition)

Strong Customer Authentication will apply to “customer-initiated” online payments. As a result, most card payments and all bank transfers will require SCA. Direct debits are considered “merchant-initiated” and therefore SCA does not apply to them.  

For online card payments, the requirements will apply to transactions where the business and the cardholder’s bank are both located in the European Economic Area (EEA), and we expect SCA to be enforced in the UK regardless of Brexit. 

Authentication 2.0

At the moment the most common way of authenticating an online card payment is through 3D Secure, a standard supported by most European cards. This authentication adds a step after checkout where the cardholder is prompted by their bank to input a one-time code sent to their phone, or do fingerprint authentication through their mobile banking app.  

3D Secure 2.0 is the upgraded authentication protocol rolling out this year, as the main method for authenticating online card payments to meet SCA. This version will provide better user experience, and reduce some of the current friction in the checkout flow. 

Exemptions for low value transactions 

Transactions below €30 are considered “low value” and may be exempt from SCA. However banks will need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication, or if the sum of previously exempt payments exceeded €100. Therefore the cardholder’s bank will need to track the number of times the exemption has been used and decide whether authentication is necessary.

While there will be various exemptions, a bank may choose to decline them and request SCA anyway, therefore quick authentication will prove essential for customer experience and conversion rates. 

Acuant’s here to help

The good news is, we can help. Businesses are required to authenticate using two of the following:

  1. Something the customer KNOWS (e.g. password) Enabled through Acuant Identity’s Alternative and Social Data
  2. Something the customer HAS (e.g. phone)
  3. Something the customer IS (e.g. face recognition) Enabled through BioMatch

We enable SCA compliance with our market-leading solutions. We offer BioMatch facial recognition, which is an essential part of the SCA process, and we offer Acuant Identity’s Alternative and Social Data, which allows users to authenticate their identity using credentials and passwords. Using our solutions also means an electronic audit trail, which assists regulatory compliance. 

Our suite of solutions have been built to the highest technical standards and create a smoother customer journey. This means less friction, and also means less customer drop off, which SCA is expected to create a great deal of. Therefore our products will help companies comply, and also increase conversions dramatically when this new step is added to the customer journey. 

We’ll get you SCA ready in less than a week

We can set you up with the product solution for SCA that best suits your business in less than a week, and in some cases within 24 hours.


Let's Talk Support