What is PSD2 SCA?

Strong Customer Authentication (SCA), a requirement of the EU's Revised Payment Services Directive (PSD2), is designed to improve online payment security and increase consumer confidence. It applies to most card-not-present payments, and requires issuers to authenticate their customers during certain payments using two-factor authentication.

Here's what we'll cover

 

Spotlight

Online workshop

Join our experts to hear about SCA best practices relevant to different business models.

Featured article

Learn why the SCA extension is both an opportunity and a challenge for merchants.

Featured blog

A thoughtful look at the SCA state of play, with advice for merchants.

PSD2 SCA

Authentication strategy

SCA is an opportunity to provide your customers with an even smoother, more secure experience. Find out what you should consider when developing an authentication strategy for your unique business needs.

AUTHENTICATION STRATEGY

Understanding SCA

 

When does SCA apply?

SCA applies to most card-not-present payments, and requires issuers to authenticate their customers during certain payments using two-factor authentication.

When doesn't SCA apply?

Some card-not-present transactions fall outside the scope of SCA. The main out-of-scope transaction types are:

Mail order / telephone order (MOTO)

Transactions in the MOTO channels are exempt.

Merchant-initiated transactions (MIT)

MIT transactions of both variable and fixed amounts, including subscriptions, are generally exempt. SCA only needs to be applied to the first in a series of recurring payments, initiated by the payer.

One-leg-out

Transactions where either the issuer or acquirer is located outside the European Economic Area (EEA) are out of scope. SCA should still be applied on a “best efforts” basis.

What does it mean for merchants?

Although SCA is a requirement for issuers, you can help ensure that your customers get the smoothest experience possible when authenticated. The payments industry wants SCA to be friction-free and is creating new processes and technologies to make that happen. But you and your customers can only benefit if you actively enable these innovations.

Want a deeper introduction?

Watch our on-demand webinar for an overview of SCA and what you should consider for your own strategy.

AUTHENTICATION STRATEGY

Building your strategy

 

Think about your business goals

Decide what makes more sense for your wider business objectives: Doing the minimum to avoid declined transactions once SCA is applied? Or using SCA as an opportunity to offer a checkout experience that is both more secure and smooth? If it's the latter, you should consider adopting the latest SCA-related innovations.

The role of 3-D Secure (3DS)

The card payment industry widely accepts 3DS as the main authentication protocol. To help avoid issuer declines after SCA , merchants should support 3DS. Unlike 3DS 1, 3DS 2 allows for mobile-friendly authentication and innovations such as biometric verification. It also allows you to help issuers avoid unnecessary authentication challenges by informing them when a transaction is merchant-initiated or qualifies for an exemption.

AUTHENTICATION STRATEGY

Making the most of exemptions

 

Why are there exemptions to SCA?

The regulation is complemented by some exemptions—specific low-risk scenarios when SCA is not required. Exemptions aim to support a frictionless checkout. By taking advantage of these exemptions, you can reduce friction without increasing risk for your customers—a win-win scenario.

What are the exemptions?

There are four main exemptions:

Low-value (below €30) transactions

Remote transactions up to €30 do not require SCA up to a maximum of five consecutive transactions or a cumulative limit of €100.

Trusted listing

This applies if a customer adds you to a trusted list, supported by their issuer. It tells the issuer the customer wants to skip SCA step-up when buying from you.

Low risk

Under certain conditions, acquirers and issuers can perform real-time risk analysis on transactions and, if they assess the risk to be low, ask the issuer to forego SCA. Talk to your acquirer to understand your options. Issuers can also forego SCA based on their own risk analysis.

Corporate cards

Payments made through dedicated corporate processes and protocols (e.g. lodge cards, central travel accounts and virtual cards) which are initiated by business entities, not available to consumers, and which already offer high levels of protection from fraud, may be exempted from SCA.

How to request SCA exemptions

Only a 3DS 2.2 version of the protocol lets you request an applicable exemption. You'll need exemption optimisation capabilities: a way for your system to reliably identify when transactions qualify for an exemption, and then apply the correct 3DS 2.2 flags.

Look out, too, for future opportunities to help customers use the trusted listing exemption.  

Next steps

There's no "one-size-fits-all" authentication strategy.

Your overall approach and exemption requests will depend on the nature of your business, your customers' expectations and your business objectives. Contact us to discuss your needs and learn how we can help you develop the best strategy for your business.

PSD2 SCA

Fraud management strategy

Shifting fraud patterns usually call for shifts in focus—and sometimes new techniques—in fraud management. SCA will make fraudsters work harder, so it's likely that fraud teams will need to move beyond “blunt” approaches and basic tools to a more balanced and sophisticated approach. Have you considered what this might look like for your business?

FRAUD MANAGEMENT STRATEGY

Does SCA make fraud screening unnecessary?

 

No, remember out-of-scope and exempt transactions

Since SCA doesn't apply to all transactions, your only protection for out-of-scope and exempt transactions is to continue to screen them for evidence of fraud. In fact, fraudsters may focus on these transactions more than ever before.

Plus, you’ll need fraud screening to qualify for the low-risk exemption

Your acquirer can only apply the low-risk exemption, if their cumulative fraud rate remains below a specific threshold. They'll expect you to play your part with low fraud rates of your own, irrespective of whether you're ultimately liable for chargebacks. And card schemes will continue to require merchants to remain below scheme-specific fraud thresholds.

And don't forget fraud management best practices

There's a reason why experts recommend multilayered, cross-channel fraud prevention and warn against relying too much on any single authentication or fraud screening method. Cybercriminals are not known for giving up easily, so while SCA is an important tool in the fight against fraud, it's no substitute for a strategy that combines SCA with active fraud screening.

For more information on SCA and why fraud screening remains vital, read our guide .

FRAUD MANAGEMENT STRATEGY

How will SCA affect fraud management?

 

Under SCA, expect fraudsters’ tactics to evolve

We know from experience that changes in purchasing and payment processes lead to shifts in fraud patterns. We can expect the same to happen once SCA is applied. We can't know for sure what changes we'll see as fraudsters adapt, but we can make educated predictions about how they'll exploit gaps in SCA coverage.

Read this article to gain insight about how fraudsters might try to work around SCA. 

Related products

Fraud and risk management

Protect and help grow your revenue with our multilayered solution.

Fraud management essentials

Use pre-configured filters to easily set up your fraud strategy while still providing a seamless customer experience.

Delivery address verification

Correct mismatched address information for over 200 countries and territories.

Next steps

Is your fraud management strategy ready for SCA?

With SCA set to reshape the fraud landscape, now is a good time to adopt fraud management best practices. Contact us to discuss how we can help you develop a strategy for your unique business needs.