Strong Customer Authentication – are you ready?

News, Security,

In the UK alone, more than £2billion was stolen via debit and credit cards in 2017. Strong Customer Authentication (SCA) is part of new PSD2 European regulations, effective 14th September 2019. The new regulations are designed to make paying online more secure and to reduce fraud.

The premise of the SCA is to add an extra level of security to the process of making payments online, to ensure they are being made by the right person.

This will apply to debit or credit card and online bank transfers. The extra level of security will apply to something the customer knows, has or is, so it could be a password, PIN or a secret fact, known only to the customer. It could be sending a text to a mobile phone, or using facial recognition or fingerprint.

The responsibility for implementing Strong Customer Authentication rests with the Payment Service Providers and banks, so  businesses don’t need to drive the process. They will though need to ensure that any changes in processes are communicated to customers and potentially implemented on websites and within their own processes.

The most obvious effect of the SCA will be an extra step required to purchase online. VISA has a new process, ‘3D Secure 2’, in development, but this is unlikely to be ready in time for the 14th September. When its predecessor, ‘3D Secure’ was implemented, users saw a marked conversion drop-off during the checkout process.

We would therefore recommend that businesses consider starting to communicate the forthcoming changes to customers to warn of the change, and to explain that the enhanced security will make the extra step worthwhile.

The good news!

There are lots of exemptions to the Strong Customer Authentication. For example, Paperless Direct Debts (DDRs) are exempt from SCA, as they are Merchant initiated. Payer initiated payments are caught by SCA, as this is where fraud typically occurs. If you’ve been thinking about implementing Go Cardless, now might be a great time to do so!

It will be possible for customers to add businesses to a ‘whitelist’, so all transactions become free from SCA. Payment providers are preparing methods to handle this option, but as yet none have been announced.

What should you do?

  1. Check your payment options. Stripe, Go Cardless, Worldpay and Paypal have good explanations on their websites.
  2. Speak to your web developer if you have an online shop or payment option. Check wether you are up to date and ready.


PLEASE NOTE: The FCA position on these requirements has changed. Find out more here.

If you've found this post helpful, please share it with others…