It might sound like a long time away, but September 14, 2021 will be here before you know it. That’s the deadline when Strong Customer Authentication (SCA) will become the requirement on all electronic payments in the U.K. With so many small businesses already taking online payments due to the impact of COVID-19, it’s critical to make sure your business is ready for compliance and familiar with the regulations included in the Second Payment Services Directive (PSD2).
Delayed and delayed again
You might recall that the SCA enforcement date across the European Economic Area (EEA) was originally slated for September 14, 2019. But as this date approached, it became clear that the industry was not yet ready for a change this big. To ease the burden on businesses, the European Banking Authority announced in June 2019 that each country in the EEA could delay SCA implementation. All markets decided to delay and announced a range of new timeframes - typically giving an extra 12-18 months. Then the pandemic hit and the date for SCA was moved to September 14, 2021.
SCA was introduced as a core component of the Payment Services Directive 2 (PSD2) and created to combat the effects of fraud on consumers and merchants. It improves security and makes payments cheaper for consumers – both of which have implications for merchants. PSD2 introduced legislative changes to the way European payments are processed and has significantly altered how money is handled by both businesses and consumers. The new difference with SCA is that all electronic payments will require two-factor authentication (2FA) from the cardholder to prove that the transaction isn’t fraudulent.
What is 2FA?
2FA is something you are most likely familiar with. It requires the cardholder to authenticate their payment using two of the following three factors:
Electronic payments should become more secure for everyone, increasing consumer confidence in buying online and reducing fraud. However, if it becomes too complex, it is possible that consumers will be put off completing their purchases if there are extra hoops to jump through. This is where SCA exemptions come in.
SCA exemptions and exclusions
Once SCA is enforced, it does not mean that your customers will be challenged every single time they make a payment. It is possible to exclude or exempt certain payments from full SCA, in the following circumstances.
SCA exclusions
Some transactions are not in the scope of PSD2 which means SCA should not be required. The key exclusions are:
SCA exemptions
Transactions that are in scope of PSD2 can still avoid full 2FA for several reasons, including:
Merchants looking to minimize the chances of customers being forced to use SCA before they buy may want to look at modern fraud management tools which use behavioural analytics and machine learning to assess risk in real time. Even when SCA is necessary, there are steps you can take to keep friction at a minimum. For example, the latest 3D-Secure standard supports the use of biometric authentication like smartphone-based facial recognition and fingerprint readers. There’s also improved integration with checkout pages, which could help enhance the payment experience.
What happens if you’re not SCA compliant by September 14, 2021?
European regulators are very unlikely to delay again. When the new deadline comes, you must be ready to go. If you’re not, you risk a sizable increase in declines on European payments, which would be very frustrating for you and your customers. After the deadline, EEA issuers will expect every payment to have either SCA through 3DS2 or an exemption flag. If the payment has neither of these, there is a significant chance that it will be declined – costing you revenue.
Worldpay can help you make the most of the exclusions and exemptions you can receive, keeping your checkout flow as frictionless as possible. We can also provide you with the tools you need to help manage SCA, qualify for exemptions and maintain PSD2 compliance. Talk to a Worldpay payment expert and find out how our payment solutions can help you become SCA compliant.