What is Strong Customer Authentication (SCA)?

As business owners, we all want to sleep easy knowing that our customers can safely pay for our goods and services.

One new requirement that aims to improve payment security is Strong Customer Authentication (SCA). But what is SCA and how will this affect businesses in the UK?

What is Strong Customer Authentication?

Strong Customer Authentication is a recent requirement that aims to improve security when electronic payments are made. In essence, it means customers will need to provide two types of authentication when making a payment.

SCA forms part of the EU’s Revised Payment Services Directive, known as PSD2 – a set of laws and regulations on payment security within the European Economic Area. SCA will apply in the UK as PSD2 was passed into law before Britain left the EU.

What does SCA mean for UK businesses?

Strong Customer Authentication is something that every UK business that takes card payments – online and offline – should be aware of. Here is a summary of how SCA affects different types of payment.

In-store payments

• SCA now applies in the UK for face-to-face payments.
• Your customers may sometimes have to enter their PIN when making contactless payments.
• Alternatively, digital wallet payments like Apple Pay or Google Pay, can now be accepted as a form of authentication.

Online payments

• All Merchants, e-commerce gateways, acquirers and issuers will be gradually rolling out SCA to e-commerce payments before 14^th March 2022 in the UK.
• Customers will need to provide another form of ID, in addition to their card details, such as a one-time passcode sent via SMS by their issuer.
• Businesses taking online payments must use a 3D Secure v2.1 compliant plug-in on or before 14^th March 2022.

How to meet SCA requirements

Strong Customer Authentication works on the basis that customers need two forms of ID at the checkout, whether online or offline. Under the rules, the identification required can be broken down into three categories:

1. Knowledge – ‘Something you know’, such as a password or PIN code.
2. Possession – ‘Something you have’, such as a mobile phone, device or payment card.
3. Inherence – ‘Something you are’, such as a fingerprint or voice activation.

SCA means there is a now legal requirement on banks and merchants to verify the customer’s identity as described above. In order to meet SCA requirements, you may have to upgrade your in-store payment terminal (obviously we would say that, but it’s true!). Having PCI compliant payment systems can give peace of mind to you and your customers.

What’s more, your customers can make secure online payments through Tyl’s payment gateway (fees and eligibility criteria apply), as long as you use a unique Tyl payment link to a 3DS 2.1 compliant hosted payment page.

What is the point of SCA?

Payment fraud is a sad reality that every business owner has to watch out for. In the UK alone, card fraud losses rose from over £271m in 2010 to almost £450m by 2019, according to a 2020 UK Finance report. The EU aims to reduce payment fraud across Europe with the introduction of SCA and the broader payment services directive.

Are there SCA exemptions?

Yes, SCA does not need to be applied to all transactions. Here are some of the SCA exemptions when you’re selling to customers:

• Low payments – Remote purchases of less than €30 (or the equivalent in pounds), or €50 for contactless payments, are exempt from SCA requirements. Note that after five consecutive transactions, SCA must be applied; for example, the customer must type their PIN.
• Recurring payments – If your customer makes a recurring payment (such as a subscription), SCA is only applied when they set up the first transaction.
• Trusted sellers – A customer can ‘whitelist’ a trusted website so that they don’t have to authenticate a payment each time.
• Secure corporate payments – SCA is exempt when payments are made through legal entities, such as other companies with dedicated protocols.
• Low risk transactions – You can get a TRA (Transaction Risk Analysis) exemption; this is where merchants use a risk analysis tool to give a real-time verdict that SCA is not necessary as the fraud risk is deemed to be low.

How Tyl can help you meet SCA requirements

Any change brings a degree of uncertainty, so by using a Tyl card machine like the all-singing, all-dancing Clover Flex, or the pint-sized Portable card reader, you won’t have to sweat about SCA. That’s because your Tyl machine will seamlessly ask for SCA authentication when a customer makes a payment using one of our terminals.

If your business accepts online payments, the Tyl payment gateway solution offers protection by authenticating every transaction with 3DS v2.1, giving you and your customers peace of mind.

Disclaimer

This has been prepared by Tyl by Natwest for informational purposes only and should not be treated as advice or a recommendation. There may be other considerations relevant to you and your business so you should undertake your own independent research.

Tyl by Natwest makes no representation, warranty, undertaking or assurance (express or implied) with respect to the adequacy, accuracy, completeness, or reasonableness of the information provided.

Tyl by Natwest accepts no liability for any direct, indirect, or consequential losses (in contract, tort or otherwise) arising from the use of the information contained herein. However, this shall not restrict, exclude, or limit any duty or liability to any person under any applicable laws or regulations of any jurisdiction which may not be lawfully disclaimed.