Introducing Strong Customer Authentication (SCA)

Written by Kevin Bates on June 10, 2019 Blog, Payments, Security.

What is SCA?

Strong Customer Authentication (SCA)* is a regulation that took effect on September 14, 2019 that requires merchants to use multiple methods of verifying a customer’s identity. To comply with new requirements and make sure your sales don’t take an unnecessary hit, you need to lay the groundwork.

Merchants accepting online payments need to use two independent authentication methods to verify that a customer is who they say they are.

Woman looking shopping on her mobile phone, carrying a few shopping bags. Strong Customer Authentication (SCA) will require a second form of authenticating online purchases.
Authentication methods may be a password, Face ID, or a push notification.

What kinds of authentication are acceptable?

SCA allows for three different authentication methods — something the customer knows, something the customer has, and something the customer is. To succeed, a transaction needs to use two of the three.

What does that mean in practice?

  • Asking for a piece of information only the customer knows — their password or the answer to a security question.
  • Sending verifying information to something the customer controls — a hardware token or a push notification on their phone.
  • Using a physical identifier unique to the customer — a fingerprint or Face ID.

What do I need to do to prepare?

Most payment gateways use 3D Secure 2 – an update to the 3D Secure system – as their main method of complying with SCA. During checkout, the payment gateway prompts the customer to provide the additional authentication elements, and the order is only completed once they do that successfully.

Some payment methods, such as Apple Pay, already incorporate these elements and should be unaffected by SCA.

Visual of the intersection of online shopping, security, and technology.
How to prepare your store for Strong Customer Authentication

FAQ

Does SCA apply to merchants outside of the European Economic Area?

Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.

What’s different on/after September 14, 2019?

The requirement for SCA took effect on September 14, 2019. Many regulators in the EEA have granted banks in their respective countries additional time to implement and require SCA. Although this has taken some pressure off, merchants are still advised to update to SCA-ready payment methods as they become available.

If your online store’s payment gateway has an EEA presence but is not SCA ready, declines for EEA-issued payment methods can be expected to gradually increase over the year ahead.

Are any transactions exempt?

Yes. Transactions below € 30 will usually not require SCA. However, SCA will be required after five exempt transactions or if the total amount spent by the customer exceeds € 100.

What about subscriptions?

SCA applies to subscriptions, too. On and after September 14, 2019, your customers need to authenticate the first payment on their subscription. Exemptions are granted for recurring charges in many cases, including those that began before September 14, though it is the customer’s bank that determines whether to require SCA or accept the exemption.

What Payment Gateways offered by Woo.com are SCA ready? **

What about Payment Gateways offered by others?

Please contact your payment gateway’s developer directly to inquire about SCA readiness.

*Note that this article should not be considered legal advice. Should you have questions or concerns about how your business is impacted by regulations and laws, we strongly recommend consulting with a legal professional.

**This post will be updated as Strong Customer Authentication (SCA) support is extended to additional Payment Gateway Extensions. If you have any questions, feel free to contact Woo.com Support.

header-v1_2x

42 Responses

  1. colin froggatt
    June 12, 2019 at 1:30 pm #

    What support is available with the ‘PayPal Standard’ gateway for Woo? thanks Colin

  2. bdurston
    June 13, 2019 at 6:53 am #

    Will these changes affect New Zealand based eCommerce sites?

    • haszari
      June 28, 2019 at 6:03 am #

      Does SCA apply to merchants outside of the European Economic Area?
      Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA.

      I believe so – if the customer is based in the EU or is using an SCA bank/card, then SCA will apply.

      • Allen Snook
        July 1, 2019 at 10:57 pm #

        That’s correct. Merchants worldwide that sell to EEA buyers are likely to be impacted by SCA. PSD2/SCA applies when the acquiring bank is in the EEA AND the buyer’s payment instrument is issued in the EEA.

  3. Ketanmishra
    June 13, 2019 at 7:53 am #

    I am really excited about the 3D Secure 2.0 which is, in turn, a major overhauled version of the existing 3-D Secure (3DS) technology. It will not only boost security manifolds but also provide a better user experience.

    The 3DS 2.0 is supposed to make the customer authentication process faster and accurate than 3DS 1.0. It will put an end to the concept of a static password and will ease the process with biometrics and one-time passwords.

    You’ve outlined the importance in a very comprehensive manner. A great post for those who are often worried about their security.

    A great feed of knowledge indeed!

  4. John
    June 14, 2019 at 1:31 pm #

    One thing that is not clear anywhere is whether the stripe gateway plugin – developed by woocommerce – will have the ability to use the new stripe hosted checkout which is sca ready and also a better design than existing woocommerce checkout templates.

    Please can you confirm?

    • Adam
      June 19, 2019 at 12:11 pm #

      Yep, I’m assuming there will either be an update for the plugin or it’ll all be down from redirects on Stripe’s end but it would be nice to have confirmation

    • Allen Snook
      July 1, 2019 at 11:00 pm #

      Hi John!

      Version 4.2 of our Stripe extension added support for SCA for non-recurring payments using existing WooCommerce checkout templates. As you have probably noticed, we have not incorporated Stripe’s new hosted checkout at this time.

      Version 4.3 will add support for SCA for recurring payments this summer.

      We are considering if and when to add support for Stripe’s new hosted checkout, depending on merchant demand.

      • Neil L
        July 2, 2019 at 11:06 am #

        Hello Allen, thanks for the info.
        Regarding v4.3. What will happen with existing customers with monthly subscriptions, when they sign up e.g. today on 4.2, but then their subscription/monthly-payment go past September 14. For example, on implementing 4.3 or on Sept 14 would they then have to re-authenticate the payments using SCA somehow on the site? (we have some customers who’s subscription are essentially perpetual until they cancel)

        • Luke
          July 4, 2019 at 3:53 pm #

          I’ve emailed Stripe with this question.

          I asked them if we’ll need to re-authenticate existing active subscription customers after September 14, 2019.

          Here’s their response:

          >… the subscriptions should be gated into the new flow without you having to do anything.

          > So no, you won’t have to re-authenticate existing active subscription customers after September 14, 2019.

  5. Rifat
    June 15, 2019 at 3:45 am #

    Great, I’m excited.

    It will be mandatory to use sca? Or there will be an option to enable and disable?

    • Allen Snook
      July 1, 2019 at 11:03 pm #

      Hi Rifat!

      PSD2/SCA applies when the acquiring bank is in the EEA and the payment instrument is issued in the EEA, however not all banks will require PSD2/SCA right away as they have to update their systems as well.

      In the meantime, some gateways like Stripe allow you to control whether or not SCA techniques like 3D Secure 2 are required all the time or not. In the case of Stripe, these settings can be found in Radar Rules.

      Hope this helps.

  6. Max
    June 15, 2019 at 10:02 am #

    Is it just for European Union?

    • Allen Snook
      July 1, 2019 at 11:04 pm #

      PSD2/SCA applies when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA. This means that non EU and non EEA sellers with EEA buyers can expect to be affected at least on some fraction of their transactions.

  7. Brad D
    June 18, 2019 at 11:43 pm #

    Great to see further security is being introduced as per in person transactions. Hopefully all areas and payment gateways will get on board to make things easy for everyone.

  8. Arnan
    June 21, 2019 at 9:10 am #

    *Sigh* for the greater good I guess. But all these eu regulations do is make it harder for businesses to do business stuff and it’s a hassle for customers, too. As usual…

  9. Emmanuel Obarhua
    June 21, 2019 at 4:58 pm #

    Hello, Allen;

    The nub of my last comment on this platform was that Woocommerce is active. Given this upcoming update, I guess I didn’t even know the full implication of my previous comment. Go Woocommerce!

    Warm regards,
    Emmanuel Obarhua

  10. David Wang
    June 26, 2019 at 4:26 am #

    I assume that the PayPal by Braintree gateway will be SCA-ready by September too?

    https://wordpress.org/plugins/woocommerce-gateway-paypal-powered-by-braintree/

    • Allen Snook
      July 1, 2019 at 11:05 pm #

      We are working on PayPal Powered by Braintree right now to get it ready for SCA.

  11. Sarah Paine
    June 26, 2019 at 7:28 pm #

    What is worrying as both a customer and a seller…

    what happens if one party does NOT use a mobile device (I don’t). Although a password is fine, I’ve no way of doing either of the latter two parts. Does this mean I can no longer buy online??

    • Allen Snook
      July 1, 2019 at 11:06 pm #

      Great question! EEA buyers without mobile devices should contact their bank to inquire about SCA options for them.

  12. Johnny Ringo
    June 26, 2019 at 7:54 pm #

    Paypal is pretty big for most of us. What’s the update on them?

    • Allen Snook
      July 1, 2019 at 11:07 pm #

      We (and PayPal) are working on changes to PayPal Powered by Braintree and on PayPal Pro right now to get it ready for SCA. The other PayPal extensions rely on changes on PayPal’s end. We will keep you updated on our (and PayPal’s) progress.

  13. praline2013
    June 26, 2019 at 7:59 pm #

    And will WooCommerce First Data Payeezy Gateway
    be SCA-ready by September too?

    https://woo.com/products/firstdata/

    Thank you for your reply!

    • Allen Snook
      July 1, 2019 at 11:38 pm #

      Hi!

      Some changes are likely required for this extension for SCA readiness. We are looking into it.

  14. Efrem R. Jasso
    June 26, 2019 at 8:18 pm #

    This article is somewhat confusing/misleading on re-reading it. In the FAQ it states,

    Does SCA apply to merchants outside of the European Economic Area?

    Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all 27 European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.
    ———–

    Does this mean SCA is *only* applicable to EU EEA countries? If I don’t sell product to the EU or EEA countries, am I still obligated to implement this method?

    Second, how does this align with GDPR?

    Thirdly, is this a PCI-compliant method if required in the U.S.?

    • Craig
      June 27, 2019 at 1:38 pm #

      As I read it if you sell to customers in the eu then that customer will go via a 3d v2 process. I also think that the payment issuers will handle this so providing the relevent plugins are updated you will be covered wherever you are in the world. I also expect other countries to follow this process as security with payment is something that is beneficial to customers and businesses right?

    • Allen Snook
      July 1, 2019 at 11:13 pm #

      > If I don’t sell product to the EU or EEA countries, am I still obligated to implement this method?

      No.

      > Second, how does this align with GDPR?

      Sellers should review the privacy policies of the payment providers they are using and ensure that their own store’s privacy policies are up to date and in-line with local laws.

      > Thirdly, is this a PCI-compliant method if required in the U.S.?

      PSD2/SCA readiness should not affect PCI compliance. Did you have a specific concern?

  15. wolfemacleod
    June 26, 2019 at 8:53 pm #

    Is this something that’s going to be automatically implemented somehow in a Woocommerce update?
    If not, how are we expected to implement it?
    How will the gateway “know” if the customer is answering correctly?

    • Allen Snook
      July 1, 2019 at 11:15 pm #

      > Is this something that’s going to be automatically implemented somehow in a Woocommerce update?

      If changes are needed to your payment gateway extension, the update would be to the payment gateway extension itself, not the WooCommerce plugin.

      > How will the gateway “know” if the customer is answering correctly?

      The payment gateway will be told by the payment processor that they declined the sale for buyers who fail to pass any required authentication.

  16. Nick
    June 27, 2019 at 12:55 am #

    This does not affect USA customers purchasing in the USA within the European Economic Area, it would have been nice for the author to have made it clearer for the readers.

  17. Futr Online
    June 27, 2019 at 1:44 am #

    Hi Team

    What’s the implication for eCommerce sites based in Australia, and utilising the PayPal Payment Gateway?

    I note Stripe is already SCA ready.

    Cheers,
    Futr Online

    • Allen Snook
      July 1, 2019 at 11:18 pm #

      Like all sellers, Australian sellers can expect PSD2/SCA to apply when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA.

      Separately, Australia is also soon to require similar authentication for Australian buyers’ protection.

  18. Abhay
    June 27, 2019 at 5:28 am #

    Will it gonna affect in Asian countries like India ?

    • Allen Snook
      July 1, 2019 at 11:19 pm #

      Like all sellers, sellers in India can expect PSD2/SCA to apply when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA.

  19. Noor Alam
    June 27, 2019 at 5:56 am #

    Hi, Do you have a solution for PayPal?

    • Allen Snook
      July 1, 2019 at 11:19 pm #

      We (and PayPal) are working on it. Stay tuned!

  20. John Asbury
    July 1, 2019 at 7:41 pm #

    “SCA applies to subscriptions, too. After September 14, 2019, your customers will have to authenticate the first payment on their subscription.”

    Does this mean for all new subscriptions, or existing subscriptions as well? This could be hugely costly for existing subscription businesses which have many existing subscribers!

  21. Luke
    July 2, 2019 at 11:26 am #

    2 questions:

    1. Are there any parts of the theme that requires updating to support SCA? From my personal experience of using SCA there seems to be a very different workflow.

    2. How do we test SCA on our staging sites? Is there a way to force it in test mode?

  22. John
    July 5, 2019 at 4:25 am #

    Thanks for the information. PayPal does not yet accept SCA this would be any issue. how would we comply?

    Also how would woocommerce have the system in place.

    Thank you

  23. Chloe
    July 5, 2019 at 10:22 pm #

    I’m looking forward to the new revolution of storing and using customer I’d and payment information. In this day and age it is an unnecessary hassle for us merchants to have to worry about keeping customer personal and payment info safe when this can be done by the customers themselves using new generation mobile apps such as Nuggets Pay and Id, where I thankfully will have no access to the buyers info but their purchase and payment will go through regardless. And they are SCA compliant. My current payment gateway is nowhere near being compliant to the new standard, as hinted by one of their representatives.