SCA (Strong Customer Authentication) was the first change introduced by the new PSD2 regulation to make payments more secure, we previously discussed PSD2 and its changes in 2021, as well as its impact on conversions. Starting from 14 September 2019 online payments in Europe were required to perform two or more factor authentication steps. Basic security measures like usernames and passwords became no longer sufficient for security purposes, therefore, authentication with at least two of the elements below became necessary:
Information that only the customer knows
- Passwords
- Security questions
Something possessed only by the customer
- Telephone
- Token
- Wearable device
Something that uniquely identifies the customer
- Fingerprint
- Facial recognition
- Voiceprint
- Iris scan
- DNA signature
For two-factor authentication you can also use the most recent development, biometric security, already used to a significant extent on smartphones, such as a fingerprint or retina scan.
Are there exemptions to SCA? Certainly, if you want more details, we explored all exemptions in detail in this insight, here is a brief sum-up:
- Low-value or low-risk transactions. Transactions under €30, which added together over 24 hours do not exceed € 100 or five exempt transactions. Low-risk transactions, whose low degree of risk is identified after a careful analysis of all information by a payment service provider. These transactions are exempt from SCA only if the percentage of card payment fraud of the payment provider does not exceed these thresholds:
0.13% for transactions up to € 100
0.06% for transactions up to € 250
0.01% for transactions up to € 500 - Subscriptions. Subscriptions or recurring transactions with a fixed value. In these cases, SCA will be required only for the first transaction (and not for the subsequent automatic renewals). If at a certain point, the cost of the subscription or the recurring transaction changes, 3DS will be requested again. This obviously does not apply to the products whose cost varies depending on period and use (e.g. costs based on consumption), which are classified as “merchant initiated” transactions (MIT) and, therefore, are exempt from SCA.
- Trusted beneficiaries. Customers may add a company to the list of “Trusted beneficiaries”. SCA will be requested only for the first payment to that company and the customer may then continue to purchase from this company with no need for SCA.
- MOTO transactions. All orders made via post or telephone will always be exempt from SCA, as they are not considered electronic payments.
- Inter-regional transactions. All payments, in which the issuer or acquirer resides outside Europe, are exempt from SCA. Therefore, it will not be a problem to accept payments in the EEA (European Economic Area) if the purchaser does not belong to the Member States: there will be no need for two or more factor authentication.
And here’s 3DS 2.0
The other improvement in consumer protection is the transition to 3DS 2.0 security protocols. The current 3DS has many limits, starting from the fact that it uses a pop-up window with a different URL. If phishing sites immediately come to mind, you’re on the right track. Basically, the risk is greater if a tab of this type is used, as it is visually very similar to the fake ones created for online fraud. There are also operational problems, for example, the saving of a set password (there are also temporary ones) for the original 3DS, which may unnecessarily complicate the experience of users who have multiple cards. In addition to this, there was no obligation to implement 3DS as a security measure, and this used to increase risks for the consumer.
Among other downsides of the 3DS1 protocol: redirect to the bank for authentication, which interrupted the flow of customer journey risking shopping cart abandonment, and deteriorated UX and purchasing process. One-time passwords was often a requirement with 3DS1, which was also not optimal and disruptive for the customer, since it required an excessive effort; authentications were complex, flows were confusing, and for each country there were different requirements, which was not coherent with global businesses operating all over the connected world, which made the compliance with legislations and banks in different countries messy.
All of this changed with the introduction of 3DS 2.0, when SCA became obligatory in the UK, albeit later than in the rest of Europe, where 3DS 2.0 became compulsory by law on 14 September 2019. 3DS 2.0 enabled the use of biometric methods, thus reducing the number of frauds and improving the experience of consumers, who are not required anymore to remember countless passwords. Another element that was lacking in the old system is the possibility to pay with virtual wallets and not only cards. In addition, as is the case for SCA, 3DS 2.0 is not required for subscriptions and instalment payments either. SCA and 3DS 2.0 are just two of the changes introduced with the European PSD2 regulation. If you want to discover all of the changes and innovations introduced by the PSD2, we suggest you take a look at the related article: What is PSD2: a step forward towards open banking.
