Strong Customer Authentication – What is SCA, and why should you care
Fraud is a growing problem in the realm of cyberspace, and most of us have been affected by it in one way or another. Seeing money disappear from your bank account due to purchases you didn’t make is an unnerving experience. With that kind of security issue in mind, the EU has mandated a policy known as SCA to help combat fraud and put the power back in the hands of the consumer.
Let’s take a look at what SCA is and what it means to eCommerce companies.
What is SCA?
Strong Customer Authentication (or SCA) is a regulation enacted by the EU with the goal of reducing fraud by making payments where the card is not present more secure. This change means that eCommerce companies especially will have to have additional authentication checkpoints when a customer checks out.
What qualifies as authentication with SCA? Here are three SCA approved methods for authentication.
- Something the customer knows, such as a password or pin.
- Something the customer has, such as a registered device.
- Something the customer is, such as Biometric information e.g fingerprint or facial recognition.
Banks have started rejecting payments that don’t have at least two of these authentication methods from 14, September 2019 onwards. Although enforcement of SCA will most likely be gradually introduced, banks will no doubt want to be compliant with requirements right away to limit their exposure.
How Payments are to be Authenticated.
Most eCommerce companies use a method known as 3D secure to comply with SCA and authenticate their customer’s transaction, which is a method most cards in Europe support. The way 3D secure works is by sending a one time pin via text or a fingerprint identification using a mobile banking app. Once the identifier has been verified, then the bank can authorise the transaction.
This process has now been updated with 3D Secure Version 2, which is more customer experience focused and will help payment flows be a little less cumbersome. Think about how fluid verification is through methods such as Apple Pay and Google pay which are extremely payment flow focused while complying with SCA regulations.
Who is Likely to Suffer from not Complying?
Self-hosted checkouts are likely to experience the most issues if they do not update their checkout flows to contain SCA approved authentication. When a customer begins the checkout process, and the bank’s systems trigger a ‘card not present’ verification challenge, if a site is not capable of complying and presenting the customer with an additional verification method the transaction will not be approved by the related financial institution.
This problem can swiftly have a detrimental effect on an eCommerce company if they don’t take it upon themselves to rectify the issue. With the dominance of WordPress in web design, there are a vast number of online merchants who use WooCommerce, the ‘go to’ eCommerce plugin for WordPress; SCA regulations could disproportionately impact them over other merchants who ply their trade on eCommerce carts such as Shopify. SCA may be the push many merchants with older websites need to start their upgrading process, and considerations there may play a factor when merchants weigh up the pros and cons on whether fully managed carts such as Shopify are worth it.
Woocommerce merchants, act fast!
It is incumbent upon merchants using WooCommerce to understand SCA and be compliant with the regulations if they plan to stay in business and minimise the risk that this poses to their cashflow. These merchants will not only lose revenue, but they will also hurt their brand by being non-SCA compliant. As customers who make repeated attempts to purchase a product will quickly take their business elsewhere.
Some eCommerce companies that use self-hosted checkouts like the WordPress / Woocommerce combo may have the majority of their transactions fall under the thirty Euros threshold, and therefore those transactions would be exempt from SCA challenges. It may be tempting to ignore SCA if the majority of your transactions are exempt, but by taking that course, more substantial sales gathered through carefully crafted upsells and cross sells that are beneficial to increasing your average order amount will be lost.
It stands to reason that if your company is involved in eCommerce that compliance with SCA is the only course of action. SCA is here, the deadline has been and gone, was your eCommerce website be ready when banks started enforcing SCA? If not, please do not suffer in silence.