What is SCA? (+ How it Benefits Consumers)
With the rise of online payments and financial transactions, the need for secure authentication methods has become increasingly important. SCA, which is short for Strong Customer Authentication is one method that ensures online transactions are safe by requiring customers to provide two or more forms of authentication to verify their identity.
It's a requirement of the Payment Services Directive 2 (PSD2) in the European Union, but its importance extends beyond the EU, as financial institutions around the world seek to protect their customers and prevent fraud. But what exactly is SCA?
In this article, you’ll learn all about Strong Customer Authentication, how to implement it, the benefits and challenges, and how to be prepared so you can keep your business and customers safe.
Table of contents
- What is SCA?
- SCA for online payments
- SCA for physical payments
- Are there exemptions to Strong Customer Authentication?
- Is SCA mandatory for businesses?
- How can you implement SCA?
- What are the benefits of SCA?
What is SCA?
SCA is a security protocol that is designed to protect online payments and financial transactions from fraud and unauthorized access. Its purpose is to ensure that only authorized parties can access sensitive financial information and initiate transactions.
SCA requires customers to provide two or more forms of authentication to verify their identity during certain high-risk financial transactions. These authentication elements are divided into three categories: knowledge, possession, and inherence.
- Knowledge-based authentication requires the customer to provide something they know, such as a password, PIN, or answer to a security question.
- Possession-based authentication requires the customer to provide something they have, such as a mobile device or smart card.
- Inherence-based authentication requires the customer to provide something they are, such as a fingerprint or facial recognition.
Strong Customer Authentication is required in situations where the risk of fraud or unauthorized access is deemed to be high. For example, it is required for all electronic payments within the European Union under the Payment Services Directive 2 (PSD2). SCA is also required for online transactions such as money transfers, account access, and e-commerce purchases. Financial institutions implement SCA to reduce the risk of fraud and provide a more secure environment for customers.
SCA for online payments
In online payments, customer authentication is employed by asking the customer to enter their card number, expiration date, and CVV (something they know). Then a one-time password (OTP) is delivered to their smartphone via SMS (something they own). The customer must open their phone using biometrics like facial recognition or fingerprint (something they are).
All of this happens in a matter of seconds and through 3D Secure technology.
SCA for physical payments
In physical payments, strong customer authentication involves the customer using their physical credit card (something they have) to complete a transaction. During the payment process, they have to enter their PIN (something they know), and in contactless digital wallet or card payments, they have to use facial recognition (something they are) to authorize the payment.
Are there exemptions to Strong Customer Authentication?
To reduce friction and increase customer satisfaction, Strong Customer Authentication exemptions can be used for low-risk payments. Payment service providers (PSPs) like MONEI can request these exemptions during payment processing, and the cardholder's bank will then assess the risk level of the transaction before deciding whether or not to approve the exemption.
Strong Customer Authentication can add friction to the checkout process and lead to a drop in customer retention. By using exemptions for low-risk transactions, you can reduce the number of times a customer needs to authenticate. That’s why at MONEI, we give you the option to configure 3D Secure authentication settings in your account. This way, you can set the criteria that work best for your business. Taking advantage of these exemptions when possible, can help improve your conversion rates.
The most relevant exemptions for online businesses include:
Low-value transactions
Payments below €30 may be exempted from SCA as they are considered "low value". But there are limitations to this exemption — banks need to request authentication if the exemption has been used five times since the cardholder's last successful authentication or if the total amount of previously exempted payments exceeds €100.
The cardholder's bank is responsible for keeping track of the number of times this exemption has been used and deciding whether authentication is required. While this exemption is available, it may be more relevant for most payments to use the low-risk transaction exemption due to its less strict limitations. With MONEI, you can take advantage of this exemption by configuring 3D Secure authentication settings in your account.
Low-risk transactions
Transactions that are considered low-risk based on their fraud indicators are exempt from SCA. These indicators may include the transaction amount, the frequency of transactions, and the history of the customer's behavior. At MONEI, we can activate this exemption for transactions below €250 as long as there are no fraud indicators, for example, a history of suspicious activity.
Fixed-amount transactions (subscriptions)
For businesses that offer fixed-amount subscriptions, Strong Customer Authentication may not be required for subsequent charges after the customer's first payment, as long as the recurring payments are made to the same business. With MONEI, you can update the subscription amount without having to do 3D Secure authentication again. This exemption helps reduce friction in the checkout process and is supported by most European banks.
At MONEI, we enable this exemption by detecting when the transaction is a subscription or recurring payment. Our system automatically applies the exemption when relevant and can help manage authentication requests if the exemption is rejected by the customer's bank, making it easier for your business to meet SCA requirements.
Trusted beneficiaries
If customers trust a business, they may choose to allowlist it during payment authentication to avoid authenticating future purchases. These trusted businesses are added to the customer's bank or payment service provider's "trusted beneficiaries" list.
But not all banks have adopted this feature, despite the potential convenience it offers for repeat purchases or subscriptions. If you’d like to add this exemption to your MONEI account, contact support.
Merchant-initiated transactions (including variable subscriptions)
Merchant-initiated transactions are payments made with saved cards when the customer is not present in the checkout flow, also known as "off-session" payments. These transactions are technically outside the scope of SCA, but requesting an exemption is still required.
Ultimately, it’s the bank's decision whether authentication is necessary for the transaction.
To use merchant-initiated transactions, authentication of the card is needed when it's being saved or during the first payment, and a customer agreement (mandate) is necessary to charge the card later.
This exemption is essential if your business requires delayed payments, variable amount subscriptions, or additional charges. It’s supported by most European banks and is accepted when the transaction is considered low-risk.
MONEI’s Payments API lets you authenticate a card when it’s being saved for future transactions and label subsequent payments as "merchant-initiated transactions."
Corporate payments
The "lodged" card exemption pertains to payments made using corporate cards that are directly held by a particular online travel agent for managing employee travel expenses and also applies to corporate payments made with virtual card numbers, which are frequently used in the travel sector.
This exemption doesn’t have much use outside of the travel industry and can only be requested by the cardholder's bank. Businesses and payment service providers (such as MONEI) can’t determine if a card falls under these categories.
Payments processed over the phone
Payments made over the phone, known as “Mail Order and Telephone Orders” (MOTO), are not subject to SCA and do not require authentication. But MOTO transactions must be clearly identified and the cardholder’s bank makes the final decision to approve or decline the transaction.
MOTO payments are an essential payment method for businesses that accept phone orders and are widely supported by banks. This is not an exemption that most MONEI merchants use, but if it’s required for your business, contact support to discuss setting it up.
Is SCA mandatory for businesses?
Strong Customer Authentication applies to online and contactless offline payments initiated by customers within Europe. Most card payments and bank transfers require SCA. But recurring direct debits are categorized as "merchant-initiated" and do not require Strong Customer Authentication.
For online card payments, these regulations apply to transactions where both the business and the cardholder's bank are situated within the European Economic Area (EEA).
How can you implement SCA?
- Identify which transactions require SCA. First, you need to determine which transactions require SCA. This will typically involve assessing the level of risk associated with each transaction.
- Choose authentication elements. Then, choose which authentication elements you will use for SCA. This will typically involve a combination of knowledge, possession, and inherence-based authentication.
- Develop and implement the technology. Lastly, develop and implement the technology required for SCA. This may involve upgrading existing systems or implementing new ones.
💡Pro Tip: A good PSP will help you safely manage online payments with built-in PSD2 compliance and SCA technology. Get started with MONEI ››
What are the benefits of SCA?
Protection from fraud and identity theft
SCA is an effective method for protecting customers from fraud and identity theft. By requiring multiple forms of authentication, it becomes much more difficult for unauthorized parties to access sensitive financial information or initiate fraudulent transactions.
Compliance with regulations
Financial institutions are required to comply with various regulations and standards to ensure the security of their customers' information. SCA is one such requirement, and implementing SCA helps financial institutions meet these regulatory requirements.
Payment service providers (PSPs) like MONEI also need to be compliant and the security trickles down to your business if you integrate your e-commerce store with a payment gateway to securely accept online payments.
💡Pro Tip: Check out our guide on how to choose the best payment gateway for your e-commerce business to learn what questions to ask and factors to consider before you select a payments partner.
Builds trust between customers and financial institutions
By implementing SCA, financial institutions demonstrate their commitment to protecting their customers' financial information, and this builds trust.
But how does this apply to e-commerce? Good question. Adding SCA in the form of 3D Secure authorization to your e-commerce store for transactions over a certain amount, for example, can help build trust with your customers.
As the world becomes increasingly digitized, SCA will continue to play a critical role in ensuring the security of online payments and financial transactions.
Moving forward with SCA
As the world becomes increasingly digitized, SCA will continue to play a critical role in ensuring the security of online payments and financial transactions. Financial institutions and businesses (including e-commerce) need to stay up to date with the latest SCA technologies and regulatory requirements to protect customers' sensitive financial information and prevent fraud.
While there are some challenges associated with implementing SCA, with the right PSP you can overcome them and make sure your e-commerce transactions are safe, secure, and PSD2 compliant.
🎓Find more definitions in our payment industry glossary.
Alexis Damen
Alexis Damen is a former Shopify merchant turned content marketer. Here, she breaks down complex topics about payments, e-commerce, and retail to help you succeed (with MONEI as your payments partner, of course).