An Introduction To Strong Customer Authentication (SCA)

Strong Customer Authentication

The basics of SCA

A new regulation known as SCA, or Strong Customer Authentication, comes into force on 14th September 2019. Put simply, SCA will require retailers to leverage more than one method in order to confirm their customers’ identities.

From September, if you accept payments online, you’ll need to authenticate your customers with at least two independent methods. It may sound complicated, but don’t worry, if you take a little time now to learn about SCA, you’ll save yourself a future headache down the road.

eCommerce Payments After Strong Customer Authentication (SCA)

With SCA, you can choose from three different means of authentication:

• A detail or fact which only this specific person would know, such as their childhood pet or mother’s maiden name.
• A physical biometric check via a smart device, like Face ID or a fingerprint scan.
• You can send a push notification to the customer’s smart device and have them tap to confirm.

In order for a transaction to be verified, the customer will need to authenticate the sale using any two of these three methods.

How to get ready

You may be wondering how you can best prepare for SCA. Well, if you’re already an online merchant, you probably have a payment gateway in place already which uses something called 3D Secure. With SCA, there’ll be an update rolling out to these gateways called 3D Secure 2.

As part of this update, the checkout process will now present the buyer with the three options to complete – and will only verify the transaction once completed. It’s worth checking if your payment gateway – such as some NFC payment methods – already features these checks.

What is SCA


What if I’m based outside of Europe? Will SCA still impact me?

The SCA regulation will apply to you if you’re based outside of the EEA (European Economic Area) – but only if a customer is attempting payment from within it. Essentially, it’s not your location that dictates the use of SCA, but the buyer themselves.

Is SCA required for all transactions?

No, not every transaction will require this authentication. Anything which falls below a certain price threshold – usually around €30 – won’t require SCA authentication unless the buyer has made multiple transactions or exceeded a total of €100.

Which of the existing payment gateways already support SCA?

As of July 2019, SCA is enabled for the PayPal, Stripe, Amazon Pay and Global Payments Gateway processors. If you use a different payment gateway, please contact them to confirm their readiness for SCA. Note that, if your gateway hasn’t been updated for SCA prior to September 14th, payments from within Europe will be automatically declined.

Are subscription payments affected by SCA?

SCA covers all online payments, included subscriptions. Your subscribers will need to use SCA authentication for their first payment after September 14th, but after that, following payments (provided they’re for the same amount) will be verified automatically.