Strong Customer Authentication – stronger security for the online economy

6th November 2019

By Steve South
The introduction of Strong Customer Authentication or SCA giving greater protection to the online economy from fraud will now be phased in and UK businesses must be fully compliant by 14 March 2021. In the meantime, they must be able to demonstrate that they are starting to take the necessary steps required to meet the terms of the plan from the original deadline.

Why has the deadline been extended?

The original deadline for Strong Customer Authentication set by the European Union’s rules was 14 September 2019.  But the UK’s Financial Conduct Authority has decided to extend it by 18 months.  This reflects the view of the European Banking Authority that businesses need longer to get themselves ready.

What does it mean?

In short, the EU Revised Directive on Payment Services (PSD2) requires electronic payments to be made using multi-factor authentication. Consumers making payment will have to use two separate types of validation out of a choice of three possible options.

  1. Something you know (eg a PIN number)
  2. Something you have (eg card/phone)
  3. Something you are (eg fingerprint)

It applies to transactions made in the European Economic Area (EEA) where both the payer and the payee are in the region. Furthermore, it will be the responsibility of the issuers to put in the authentication measures of their choice.

Are there any exemptions?

Yes, there are a number of exemptions although they will be at the discretion of the issuer. They cover the following key areas:

  • Recurring payment exemption and low value exemption payments, ie less than 30 Euros: although if there are more than five consecutive low value payments or if they exceed 100 Euros in total SCA will be needed.
  • Whitelisting: where customers are able to add their trusted merchants to their record with their issuer. However, issuers may still reject the request at their discretion and will continue to ask for authentication.
  • Secured corporate payment exemption: where a transaction is made by a legal person, for example a business rather than an individual consumer.
  • Low risk transaction exemption (or Transaction Risk Assessment – TRA): where payment service providers can choose not to apply SCA to remote payment transactions if they consider them to be a low fraud risk. However, the conditions for this can be complex.

What’s the background to SCA?

Fraudsters continue to find more sophisticated ways of tricking businesses and individuals into divulging passwords or into making fraudulent payments. Losses are therefore continuing to increase.  Security measures such as Address Verification System (AVS) or the CVC verification that you see on some credit and debit cards have not been as robust as hoped.  This is why consumers have been able to dispute fraudulent payments made on their cards.  The European Commission has therefore acted to help reduce the number of cases of fraud with SCA measures.

Our advice

Businesses need to take into consideration the impact of the new rules now and start inputting measures to ensure that they comply. So, keep in touch with your payment service provider to understand what changes they are making to their systems and how they will affect you.

We suggest that you think about the exemptions and how they may apply. Depending on how your business works, there may be an impact on the payment journey.  It may look different to customers and you may wish to point this out ahead of time.  You may also think about asking your customers to whitelist your businesses with their card issuer to avoid the authentication process whenever they make purchases in the future.

Of course, the Wise & Co team is available to discuss any of these issues as well as other challenges facing your business.

About the author

Steve joined Wise & Co in 1989 where he trained and qualified as a chartered accountant. He is now a general practice partner, as well as the firm’s IT partner. Steve’s experience spans a range of industry sectors and businesses of varying sizes. VAT and property remain of particular interest to him and he has advised many investors and developers alike on VAT planning and recovery. He has also been involved with many mergers and acquisitions and has assisted clients with the sale of their businesses.

Share article