What is SCA?
Strong Customer Authentication (SCA)* is a regulation that took effect on September 14, 2019 that requires merchants to use multiple methods of verifying a customer’s identity. To comply with new requirements and make sure your sales don’t take an unnecessary hit, you need to lay the groundwork.
Merchants accepting online payments need to use two independent authentication methods to verify that a customer is who they say they are.
What kinds of authentication are acceptable?
SCA allows for three different authentication methods — something the customer knows, something the customer has, and something the customer is. To succeed, a transaction needs to use two of the three.
What does that mean in practice?
- Asking for a piece of information only the customer knows — their password or the answer to a security question.
- Sending verifying information to something the customer controls — a hardware token or a push notification on their phone.
- Using a physical identifier unique to the customer — a fingerprint or Face ID.
What do I need to do to prepare?
Most payment gateways use 3D Secure 2 – an update to the 3D Secure system – as their main method of complying with SCA. During checkout, the payment gateway prompts the customer to provide the additional authentication elements, and the order is only completed once they do that successfully.
Some payment methods, such as Apple Pay, already incorporate these elements and should be unaffected by SCA.
Does SCA apply to merchants outside of the European Economic Area?
Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.
What’s different on/after September 14, 2019?
The requirement for SCA took effect on September 14, 2019. Many regulators in the EEA have granted banks in their respective countries additional time to implement and require SCA. Although this has taken some pressure off, merchants are still advised to update to SCA-ready payment methods as they become available.
If your online store’s payment gateway has an EEA presence but is not SCA ready, declines for EEA-issued payment methods can be expected to gradually increase over the year ahead.
Are any transactions exempt?
Yes. Transactions below € 30 will usually not require SCA. However, SCA will be required after five exempt transactions or if the total amount spent by the customer exceeds € 100.
What about subscriptions?
SCA applies to subscriptions, too. On and after September 14, 2019, your customers need to authenticate the first payment on their subscription. Exemptions are granted for recurring charges in many cases, including those that began before September 14, though it is the customer’s bank that determines whether to require SCA or accept the exemption.
What Payment Gateways offered by WooCommerce.com are SCA ready? **
- Amazon Pay
- Global Payments Gateway (formerly Realex)
- PayPal powered by Braintree
- Sage Pay
- Klarna Payments
- Klarna Checkout
What about Payment Gateways offered by others?
Please contact your payment gateway’s developer directly to inquire about SCA readiness.
*Note that this article should not be considered legal advice. Should you have questions or concerns about how your business is impacted by regulations and laws, we strongly recommend consulting with a legal professional.
**This post will be updated as Strong Customer Authentication (SCA) support is extended to additional Payment Gateway Extensions. If you have any questions, feel free to contact WooCommerce.com Support.