As a part of the PSD2 regulation launched in September 2019, Strong Customer Authentication (SCA) requirement came to life. The regulation covers types of payments that are impacted by SCA, as well as exempted payment scenarios that are not subjected to the new requirement. To learn more about this topic, we prepared a short read covering the definition of SCA, how it works, and online payment scenarios in which SCA is not necessary.
Strong Customer Authentication (SCA) is defined as an additional layer of security for online payments. To make this definition more precise, we have to mention that the SCA is based on at least two pieces of information from the following categories:
What this means in practical terms, consumers will perform additional checks in order to verify their authenticity.
SCA is additionally enhanced with Dynamic Linking, which aims to prevent social engineering attacks such as the ''man-in-the-middle'' attack.
To ease the online payment process for both cardholders and merchants, PSD2 includes SCA exemptions, online payment scenarios that are not subjected to the new requirement. It is important to emphasize that not all SCA exemption qualified transactions will be automatically exempted. The issuing bank is the one that has the last word on whether the exemption is granted or not. In other words, even if the transaction meets all the criteria to be classified as an SCA exemption, the cardholder might still be obligated to authenticate themself using the standard SCA method if the issuing bank requires such an approach.
Following transactions are classified as SCA exemptions:
Low-value transactions – online payments under 30 euros (limited by a certain number of possible low-value transactions in a day or by a cumulative value spent in a predefined time period).
Subscriptions and recurring payments – transactions whose value is the same each time a payment is being processed.
Transaction risk analysis – transactions that are deemed low risk based on predefined technical criteria rather than the transaction's value.
Whitelisting – a cardholder is enabled to flag individual online merchants as ''trusted'' with their issuing bank in order to avoid SCA during the checkout process.
Luckily for merchants and issuing banks, 3D Secure 2 is fully aligned with the PSD2 directive and includes SCA as a key feature that promotes safer-than-ever online payments.
Security concerns are not the only ones being taken care of by implementing the new 3D Secure 2 protocol. This upgrade solves the issue of high cart abandonment rates, promotes ''frictionless authentication'' and does not interfere with user experience during the online checkout process.