What is SCA?
Strong Customer Authentication (SCA)* is a new regulation taking effect on September 14, 2019 that requires merchants to use multiple methods of verifying customers’ identities. To help you comply with the new requirements — and make sure your sales don’t take an unnecessary hit — you can lay the groundwork now.
Starting in September, merchants accepting online payments will need to use two independent authentication methods to verify that a customer is who they say they are.
What kinds of authentication are acceptable?
SCA allows for three different authentication methods — something the customer knows, something the customer has, and something the customer is. To succeed, a transaction has to use two of the three.
What does that mean in practice?
- Asking for a piece of information only the customer knows, like their password or the answer to a security question.
- Sending verifying information to something the customer controls, like a hardware token or a push notification sent to their phone.
- Using a physical identifier unique to the customer, like a fingerprint or Face ID.
What do I need to do to prepare?
Most payment gateways will use 3D Secure 2 – an update to the 3D Secure system – as their main method of complying with SCA. During checkout, the payment gateway will prompt the customer to provide the additional authentication elements, and the order will only be completed once they do that successfully.
Some payment methods, like Apple Pay, already incorporate these elements and should be unaffected by SCA.
Does SCA apply to merchants outside of the European Economic Area?
Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.
What happens on/after September 14, 2019?
If your online store’s payment gateway has an EEA presence and is not SCA ready, EEA issued payment methods are likely to be declined during checkout.
Are any transactions exempt?
Yes: Low value transactions (below € 30) will usually not require SCA. However, SCA will be required after five exempt transactions or if the total amount spent by the customer exceeds € 100.
What about subscriptions?
SCA applies to subscriptions, too. After September 14, 2019, your customers will have to authenticate the first payment on their subscription. Exemptions will be granted for recurring charges in many cases, including those that began before September 14, though it is the customer’s bank that determines whether to require SCA or accept the exemption.
What Payment Gateways offered by WooCommerce.com are SCA ready today? **
What about Payment Gateways offered by others?
Please contact your payment gateway’s developer directly to inquire about SCA readiness.
*Note that this article should not be considered legal advice. Should you have questions or concerns about how your business is impacted by regulations and laws, we strongly recommend consulting with a legal professional.
**This post will be updated as Strong Customer Authentication (SCA) support is extended to additional Payment Gateway Extensions. If you have any questions, please feel free to contact WooCommerce.com Support.