New requirements (SCA) for authenticating online payments will be introduced in Europe

On September 14th 2019, new requirements for authenticating online payments will be introduced in Europe as part of an ongoing effort to reduce online fraud: Strong Customer Authentication (SCA), which is part of the PSD2 regulation in Europe. Card payments will require a different user experience, namely 3D Secure 2, in order to meet SCA requirements. If transactions do not follow the new authentication guidelines, they may be declined by the customers’ bank. These requirements present some challenges for any business that accepts payments from European customers.

Why SCA?

The new rule has been defined to protect European consumers against online fraud. The European Central Bank estimates the damage of online fraud involving credit cards at 1.3 billion euros on an annual basis. It is to be expected that the European e-commerce market will grow rapidly and this will have a growth in online fraud as a side effect.

SCA is designed to make online payments more secure, consequently, safe and to reduce the victims of online fraud scams.

Who is affected by SCA?

  • Businesses based in the European Economic Area (EEA) or you create payments on behalf of connected accounts based in the EEA
  • Businesses serving customers in the EEA
  • Businesses who accept credit- and debit cards


How does SCA work?

In order to comply with the new rules businesses have to update their payment process. Just signing up with your credit card number and CVC/CVV-code will not be enough anymore. SCA requires an additional authentication step in the payment process in order to prove that the end-customers are who they say they are, with specific rules around what constitutes ‘authentication’.

SCA requires authentication to use at least two of the following three elements:

  • Knowledge (something only the payer knows) – examples include a password, PIN, passphrase or secret fact/answer
  • Possession (something only the payer possesses) – examples include their mobile phone, smart watch, smart card or a token
  • Inherence (something the payer is) – examples include a fingerprint, facial recognition, voice patterns, DNA signature and iris format


Are all payments effected by SCA?

SCA will affect all transactions, even low-risk transactions, banks can request SCA anytime. Even businesses who primarily process low risk transactions have to update their payment process so customers can complete authentication when requested by the bank.

For recurring payments, SCA will apply only for the first payment in a set of recurring payment of the same amount. However if the amount changes, SCA will apply again.

In the end, the banks decide when SCA will be needed for a transaction or not. This is decided when the payment is processed.