Strong Customer Authentication (SCA) explained
Strong Customer Authentication (SCA) is a mandate introduced by the Payment Services Directive (PSD2) enacted by the European Commission, which requires electronic payments initiated by the buyer to be authenticated by at least two of the following three factors.
- Something the cardholder knows (e.g., a password or PIN)
- Something the cardholder has (e.g., a token, a mobile phone)
- Something the cardholder is (e.g., a fingerprint or voice match)
1. To whom does SCA apply?
SCA applies to electronic transactions that occur within the European Economic Area (EEA). When you accept cards issued in the EEA, the SCA check must be performed to all in-scope transactions unless exempted by the legislation.
2. Transactions out of scope for SCA
The SCA check is not required for the following transactions:
- Anonymous payment instrument transactions – Transactions where anonymous payment instrument is used, for example, anonymous prepaid cards.
- Mail Order/Telephone Order (MOTO) Transactions – Payments transacted over the phone or e-mail.
- One-leg transaction – Transactions where only one of the payment service providers is located inside the EEA. Since TrustPay is located within EEA, the one leg transactions are the transactions submitted with a card issued outside EEA. PSD2 expects that SCA should be applied for the one-leg transactions on a best effort basis.
- Merchant Initiated transactions (MIT) – transaction initiated by the merchant, for example, credit fund transfers or repeatable (recurring) transactions, direct debits.
3. E-commerce transactions exempted from SCA
Transaction category | Description | Applied by |
---|---|---|
Low-value transactions | Electronic payments under €30—and:
|
TrustPay |
Trusted beneficiaries | Payers can assign merchants to a whitelist of trusted beneficiaries which is maintained by their bank. Whitelisted merchants are exempt from SCA. | Issuer |
Secure corporate payments | Electronic payments made through dedicated corporate processes initiated by businesses, for example, secure corporate cards. | Issuer |
Low-risk transactions | TrustPay is allowed to request an exemption based on the risk analysis when its fraud rates do not exceed the specified thresholds. | TrustPay |
4. How is SCA applied to e-commerce transactions?
The Strong Customer Authentication requires that two independent factors need to be initiated (what cardholder knows, has, or is). The security protocol EMV 3-D Secure has been introduced as a tool fulfilling the SCA mandate.
5. What is EMV 3-D Secure?
3-D Secure (3DS) is a customer authentication security protocol, designed to reduce fraud rates and provide security to card-not-present transactions. 3DS1 is already widely used by TrustPay today.
With the event of the SCA mandate, the new version of 3DS protocol was introduced EMV 3-D Secure (3DS 2.1.), and its systems are ready to support 3DS 2.1 as well. At present, TrustPay is preparing their systems to be ready for 3DS 2.2. as well and we will inform you when will be available.
6. How to apply for exemption from SCA?
An issuer will decide whether the SCA is required for exempted transactions or not. In case of exemptions applicable for TrustPay (please, refer to point 3), a merchant can apply for the exemption through the specific exemption flag submitted in the authorization request. How to submit an exemption flag, there will be a separate communication distributed to you.
7. What to do in case of out of scope transactions?
The merchants do not need to take any action in relation to the out of scope transactions. These transactions will be submitted automatically without a need for the SCA check.
***NO DELAY TO SCA DEADLINE***
The impact of COVID-19 on merchants and their Strong Customer Authentication (SCA) preparations has been significant, and the payments industry called for additional time to allow merchants to focus their efforts on SCA again. As a result, the official request for six months long delay was submitted by a couple of payment industry representatives to the European Commission.
We would like to bring to your attention that the European Commission has recently announced that the merchants and payment service providers will be granted no further time to prepare for and comply with the SCA mandate.
Therefore, we would like to assure you that the current deadlines are valid as they were communicated to you before. We encourage you to dedicate enough time and effort to the SCA migration to meet given deadlines. You are required to update your TrustPay gateway integration using the new version of 3-D Secure by October 1st, 2020.
Please refer to the previous TrustPay communications or contact us via the e-mail address support@trustpay.eu and our colleagues will be happy to advise you.