Introducing Strong Customer Authentication (SCA)

Written by Allen Snook on June 10, 2019 Blog, Security, Taking payments.

What is SCA?

Strong Customer Authentication (SCA)* is a new regulation taking effect on September 14, 2019 that requires merchants to use multiple methods of verifying customers’ identities. To help you comply with the new requirements — and make sure your sales don’t take an unnecessary hit — you can lay the groundwork now.

Starting in September, merchants accepting online payments will need to use two independent authentication methods to verify that a customer is who they say they are.

Woman looking shopping on her mobile phone, carrying a few shopping bags. Strong Customer Authentication (SCA) will require a second form of authenticating online purchases.
Authentication methods may be a password, Face ID, or a push notification.

What kinds of authentication are acceptable?

SCA allows for three different authentication methods — something the customer knows, something the customer has, and something the customer is. To succeed, a transaction has to use two of the three.

What does that mean in practice?

  • Asking for a piece of information only the customer knows, like their password or the answer to a security question.
  • Sending verifying information to something the customer controls, like a hardware token or a push notification sent to their phone.
  • Using a physical identifier unique to the customer, like a fingerprint or Face ID.

What do I need to do to prepare?

Most payment gateways will use 3D Secure 2 – an update to the 3D Secure system – as their main method of complying with SCA. During checkout, the payment gateway will prompt the customer to provide the additional authentication elements, and the order will only be completed once they do that successfully.

Some payment methods, like Apple Pay, already incorporate these elements and should be unaffected by SCA.

Visual of the intersection of online shopping, security, and technology.
How to prepare your store for Strong Customer Authentication


Does SCA apply to merchants outside of the European Economic Area?

Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all 27 European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.

What happens on/after September 14, 2019?

If your online store’s payment gateway has an EEA presence and is not SCA ready, EEA issued payment methods are likely to be declined during checkout.

Are any transactions exempt?

Yes: Low value transactions (below € 30) will usually not require SCA. However, SCA will be required after five exempt transactions or if the total amount spent by the customer exceeds € 100.

What about subscriptions?

SCA applies to subscriptions, too. After September 14, 2019, your customers will have to authenticate the first payment on their subscription. If there is a change in the subscription payment amount, they’ll also have to re-authenticate for subsequent renewals.

What Payment Gateways offered by are SCA ready today? **

What about Payment Gateways offered by others?

Please contact your payment gateway’s developer directly to inquire about SCA readiness.

*Note that this article should not be considered legal advice. Should you have questions or concerns about how your business is impacted by regulations and laws, we strongly recommend consulting with a legal professional.

**This post will be updated as Strong Customer Authentication (SCA) support is extended to additional Payment Gateway Extensions. If you have any questions, please feel free to contact Support.


10 Responses

  1. colin froggatt
    June 12, 2019 at 1:30 pm #

    What support is available with the ‘PayPal Standard’ gateway for Woo? thanks Colin

  2. bdurston
    June 13, 2019 at 6:53 am #

    Will these changes affect New Zealand based eCommerce sites?

  3. Ketanmishra
    June 13, 2019 at 7:53 am #

    I am really excited about the 3D Secure 2.0 which is, in turn, a major overhauled version of the existing 3-D Secure (3DS) technology. It will not only boost security manifolds but also provide a better user experience.

    The 3DS 2.0 is supposed to make the customer authentication process faster and accurate than 3DS 1.0. It will put an end to the concept of a static password and will ease the process with biometrics and one-time passwords.

    You’ve outlined the importance in a very comprehensive manner. A great post for those who are often worried about their security.

    A great feed of knowledge indeed!

  4. John
    June 14, 2019 at 1:31 pm #

    One thing that is not clear anywhere is whether the stripe gateway plugin – developed by woocommerce – will have the ability to use the new stripe hosted checkout which is sca ready and also a better design than existing woocommerce checkout templates.

    Please can you confirm?

    • Adam
      June 19, 2019 at 12:11 pm #

      Yep, I’m assuming there will either be an update for the plugin or it’ll all be down from redirects on Stripe’s end but it would be nice to have confirmation

  5. Rifat
    June 15, 2019 at 3:45 am #

    Great, I’m excited.

    It will be mandatory to use sca? Or there will be an option to enable and disable?

  6. Max
    June 15, 2019 at 10:02 am #

    Is it just for European Union?

  7. Brad D
    June 18, 2019 at 11:43 pm #

    Great to see further security is being introduced as per in person transactions. Hopefully all areas and payment gateways will get on board to make things easy for everyone.

  8. Arnan
    June 21, 2019 at 9:10 am #

    *Sigh* for the greater good I guess. But all these eu regulations do is make it harder for businesses to do business stuff and it’s a hassle for customers, too. As usual…

  9. Emmanuel Obarhua
    June 21, 2019 at 4:58 pm #

    Hello, Allen;

    The nub of my last comment on this platform was that Woocommerce is active. Given this upcoming update, I guess I didn’t even know the full implication of my previous comment. Go Woocommerce!

    Warm regards,
    Emmanuel Obarhua

Leave a Reply

WooCommerce - the most customizable eCommerce platform for building your online business.

  • 30 day money back guarantee
  • Support teams across the world
  • Safe & Secure online payment
%d bloggers like this: