Is your online payment workflow ready for SCA?

New regulations for online payments, called SCA, come into affect on 14 September 2019. In this post we’ll take a look at what they are, who they affect and what you can do to prepare yourself.

What Is SCA?

SCA stands for Strong Customer Authentication and is a new regulation for authenticating online payments. It has been designed to reduce the number of incidents of online fraud and to increase security around internet trade.

Once SCA is enforced, online payments will require at least two of the following 3 bits of identification data:

  • Knowledge – Something known only to the user (e.g. a password)
  • Possession – Something only the user has access to (e.g. a mobile phone)
  • Inherence – Something that the user is (e.g. fingerprint)

If you’ve ever had to enable Two Factor Auth (2FA) on any of your existing web logins (e.g. receiving a code via text when you authenticate with Google), then SCA will be a familiar concept.

As most online payments do not currently capture this level of data, we expect to see major changes to checkout flows happening across the board in response to the new rules. The extra data requirements also impose additional complexity will have a negative impact on the short term checkout User Experience, in favour of the better long term User Experience of less fraud.

It is expected that organisations that are not ready for this change will see a significant drop in conversion rates when SCA comes into effect.

Who does SCA affect?

SCA will apply to any “customer-initiated” online card payment where both the payer and payee are within the European Economic Area (EEA). It is also still likely to be enforced within the UK regardless of whatever happens with Brexit.

There are a number of transactions that are exempt from SCA but the likelihood is that if you’re taking payments/donations online and are based in the UK, you’ll be affected!

The exemptions to SCA are:

  • Low-risk transactions
  • Payments below €30
  • Fixed amount subscriptions
  • Merchant-initiated payments
  • Trusted beneficiaries
  • Corporate Payments

How to prepare for SCA

If you’re currently taking “customer-initiated” online payments then you should speak with your payment provider to make sure that your checkout flow will be ready for when SCA comes into effect.

If you use an off the shelf solution then it’s likely that little to no changes will be required. For more bespoke integrations there will likely be changes that you need to implement. A number of the providers we typically use have issued specific advise on this matter:

When does SCA kick in?

14 September 2019

If you’d like to talk to us about how you can be prepared for SCA for your online payments or donation flows then please get in touch.

Further reading: Regulatory Technical Standards

Let's create something awesome together