The SCA deadline for cards is here: your questions answered
As of 14 March, card payments in the UK must include strong customer authentication. So what does that mean for businesses taking payments online?
Four years after the Revised Payment Service Directive (PSD2) came into effect, the introduction of strong customer authentication (SCA) is wrapping up in Europe. Previous deadlines have come and gone, extensions have been granted, but many questions about the initiative remain unanswered.One thing is certain, though: the days of simply entering your card details have come to an end. From 14 March, online card payments made in the UK — with a few exceptions — will require users to take extra steps to confirm their identities.Naturally, these changes will have a big impact on online checkouts. While acquirers and issuers have had time to implement new technology like 3D Secure 2 (3DS2), merchants may be less prepared. In its report on SCA adoption, the Payments Association notes that a significant portion of SMEs have yet to update their payment processes and transaction flows in line with the new regulations. Even merchants who are in compliance may take a hit to their customer experience, and flagging conversion rates could follow.So what do businesses need to know about these rule changes? In this blog post, we’ll answer a few of the most frequently asked questions about SCA from around the web. We’ll also offer a few tips that will help merchants adapt to this new normal.
What is SCA?Simply put, SCA is a way of verifying a consumer’s identity during a transaction. It ensures a customer is who they claim to be and not an impostor. SCA has been an essential part of checking out in real life for years. Entering a PIN is a form of SCA, for example. But in recent years, regulators have brought these measures online to make ecommerce transactions more secure. So what does online SCA entail? Under the new rules, customers need to prove their identity through two-factor authentication (2FA). In other words, they must provide two of the following identifiers:
- Knowledge: something they know (such as a password)
- Possession: something they own (such as a card or smartphone)
- Inherence: something they are (usually biometric data such as fingerprints or a facial scan)
How does SCA relate to PSD2?PSD2 is an EU law that regulates electronic payments. One of its main goals is to make payments more secure. It achieves that aim by requiring SCA for all online transactions. While open banking payments already natively feature SCA, card payments didn’t need to include it until relatively recently. Spain, Germany, Italy, France and Ireland began to enforce SCA on card payments in 2021, making the UK the last territory in Europe to fully implement the policy.
Why is SCA necessary for cards?Although SCA aims to secure all payment methods, cards are particularly vulnerable to fraud. Unauthorised card payments accounted for £261.7 million in losses in the first half of 2021. The new SCA rules compel online shoppers to verify their identities when making a card payment, significantly reducing the risk of fraud.
When do the SCA card rules go into effect?While many UK banks began introducing SCA to card payments in late 2021, the official deadline for implementation was 14 March 2022. After that, most card-based ecommerce transactions will require SCA. Other payment types already adhere to PSD2’s SCA conditions. For instance, open banking payments have adhered to SCA requirements since PSD2 first came into law in 2018. From the beginning, open banking user flows were designed with SCA in mind, protecting users without sacrificing the customer experience.
What are the exemptions to card SCA?SCA will apply to many card payments online, but not all. There are a few exceptions to the new rules. Card transactions under €30 (£24.90) won’t require SCA if a customer has spent less than €100 over their last five transactions. Issuers don’t need to authenticate anonymous prepaid card payments, and SCA isn’t necessary if a card issuer or acquirer operates outside the European Economic Area (EEA). Recurring payments, instalments, card-on-file payments and other merchant initiated transactions (MITs) are also exempt from card SCA requirements after the first transaction. There are no exemptions for open banking payments since these transactions feature SCA natively.
What does this mean for merchants?As previously mentioned, merchants will need to update their payment processes to accommodate the new SCA requirements. Even if they are compliant, ecommerce businesses may face a decline in their conversion rates.That’s because SCA could make card-based online checkouts messier. When TrueLayer looked at SCA payment flows back in June 2021, we found that card users needed to complete extra steps compared to open banking customers.
SCA doesn’t just make card payments longer — it also makes the customer experience more disjointed. The impact on merchants could be significant. A spike in declined transactions may lead to notable fees and a drop off in sales.