Understanding Strong Customer Authentication and What to Expect

The rapid rise of digital banking across the global economy has made securing transactions and protecting consumers a growing priority. As payment fraud increases, with global losses projected to reach a staggering $40.62 Billion by 2027, businesses and governments are turning to meaningful customer authentication as a way to crack down on identity theft.The European Union, in particular, has led the charge by introducing Strong Customer Authentication (SCA) regulations as part of the Payment Services Directive 2 (PSD2). These regulations protect consumers throughout the European Union (EU) and the broader European Economic Area (EEA).By 2022, SCA will become compulsory for businesses with customers living and working in the EEA. For enterprise payment processors, the challenge then lies in supporting implementation while delivering a frictionless consumer experience.As a business owner, CFO, or finance professional, you may be wondering what Strong Customer Authentication is, if your business needs to comply, which payment processors support SCA, and how to manage SCA if your database lives in Salesforce. This guide will provide a quick overview of Strong Customer Authentication and how Blackthorn supports SCA natively in Salesforce.
Enable SCA Across Your Org

Talk to a Blackthorn Expert Today

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is a requirement introduced by the EU Payment Services Directive 2 (PSD2) to minimize fraud and make electronic payments more secure. PSD2 aims to protect consumers, promote banking innovation, and facilitate safer cross-border European payment services.

SCA came into effect in 2019, but due to infrastructure delays and challenges brought by the global coronavirus pandemic, the EEA approved delaying the implementation deadline for countries that have requested additional time. For example, a new enforcement date–March 14, 2022, has been set for the UK.

What is Required under Strong Customer Authentication?

SCA requires that electronic payments utilize multi-factor authentication. To pass authentication, consumers must confirm their identity by completing two of following three criteria:

  • Knowledge: Provide proof of something they (the consumer) knows (for example, their password or pin).
  • Possession: Provide proof of something they (the consumer) own (for example, their phone or hardware token).
  • Inherence: Provide proof of something they (the consumer) is (for example, their fingerprint).
SCA Multi-Factor Authentication

 

Article 4 of PSD2 defines SCA as “an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses), and inherence (something the user is).”

If consumers fail to meet the authentication criteria, banks have the authority to decline payment.

What does 3D Secure 2 (3DS2) mean?

You may see 3D Secure 2 (3DS2) referenced alongside Strong Customer Authentication. 3D Secure 2 is the primary method used for authenticating payments. It is an improved version of 3D Secure, offering consumers a frictionless experience.

When Does Strong Customer Authentication Apply?

SCA applies to customer-initiated transactions in which both the merchant’s acquiring bank and the bank issuing the buyer’s debit or credit card are located within the European Economic Area (EEA).

Are There Exemptions to SCA?

Some exemptions apply depending on the transaction amount, the degree of perceived risk, and the frequency of occurrence. Examples of exemptions in place include:

Low-risk transactions

  • The payment provider or bank’s overall fraud rates for card payments do not exceed defined thresholds.
  • The transaction totals less than €30*.

*However, there are limitations on the number of times an exempt transaction can skip authentication.

Fixed-amount subscriptions

  • Recurring transactions in which the customer pays the same amount to the same business and the first payment is authenticated. For example, Stripe Billing uses this exemption.

Phone Sales

  • Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is referred to as “Mail Order and Telephone Orders” (MOTO). However,  the cardholder’s bank has the right to accept or reject the transaction.

‘One Leg Out’ transactions

  • When a merchant’s acquiring bank or the bank issuing the buyer’s debit or credit card are located outside of the European Economic Area (EEA), SCA scope is not extended.**
  • For example, if a US-based merchant, not operating through an EEA local entity, with an acquiring bank in the United States receives a credit or debit card payment from a cardholder in the EEA, this transaction is generally exempt from SCA scope.

For more information on exemptions, see the Payment Services Directive 2 requirements.

**Note that neither Blackthorn.io nor its staff are legal experts on SCA or other European banking regulations and this article is intended to provide general guidance only.  All guidance should be run by your organization’s legal counsel before enacting due to the unique positions of some organizations.**

What are the Benefits of Strong Customer Authentication?

Along with adding additional protections for consumers, SCA benefits businesses by:

  • Reducing fraud
  • Increasing consumer confidence surrounding online transactions
  • Emphasizing market-wide compliance

How is Blackthorn Supporting SCA?

Here at Blackthorn, we see SCA and the PSD2 mandate as an opportunity to provide customers with a more secure experience and promote compliance in the payments ecosystem. We’ve added 3D Secure 2 (an industry-accepted method) protocols to our checkout flows to meet SCA requirements. The following Blackthorn Payments features are SCA supported:

  • Capturing a Transaction through PayLink with SCA regulated Payment Methods.
  • Capturing a Transaction through Donations with SCA regulated Payment Methods.
  • Capturing SCA-regulated Payment Methods and Transactions through the Virtual Terminal.
    *Requires an additional configuration.
  • Capturing SCA-regulated Payment Methods through the Transaction object.
    *Requires an additional configuration.

For customers using our Stripe Billing or Stripe Checkout integration, Stripe applies 3D Secure 2 checks when the cardholder’s bank supports it and falls back on 3D Secure 1 if additional verification is needed.

What Happens if a Transaction Fails?

A notification will be created in Salesforce if a transaction fails, and a reattempt request will automatically trigger, depending on the logic set.

Is Action Needed to Enable SCA?

Using Blackthorn Payments, teams working in the EEA can easily enable SCA in Salesforce by following the steps outlined here.

Benefits of Using Blackthorn with Stripe for SCA

Due to Blackthorn Payments’ deep integration with Stripe, we’re able to offer Stripe’s prebuilt, customizable SCA solutions and extend them to work directly from Salesforce. For businesses operating within the EEA or creating payments on behalf of customer accounts in the EEA, this means you can continue to take payments and send invoices directly from Salesforce while adhering to compliance requirements.

Given the pervasiveness of fraud and cybersecurity attacks, businesses can anticipate that multifactor requirements and security regulations will become more widespread, and each country may have nuances. Therefore, choosing a technology partner on top of the changes is crucial to handling complexities and quickly adapting to new advancements.

Our partnership with Stripe (and their vested interest in compliance with Salesforce) enables us to add workflows that are agile and use point-and-click (no coding needed) technology so you don’t have to build your own integrations or rely on an SI partner– both of which can cost you a lot of time and money. And our 3x a year app upgrades ensure you’re always up to speed.

If you have any questions about SCA requirements and are interested in learning how Blackthorn Payments’ enterprise payment processing solutions can help your team navigate these new regulations, we are happy to help. Talk to one of our experts today.

References:

https://ec.europa.eu/info/publications/190913-safer-payment-services_en

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018R0389

https://stripe.com/guides/3d-secure-2

https://www.eba.europa.eu/sites/default/documents/files/documents/10180/1761863/314bd4d5-ccad-47f8-bb11-84933e863944/Final%20draft%20RTS%20on%20SCA%20and%20CSC%20under%20PSD2%20%28EBA-RTS-2017-02%29.pdf?retry=1