What is strong customer authentication?

To prevent fraud even more effectively, the EU introduced a new regulation, which requires companies to integrate even stricter authentication procedures in their payment processes. This regulation is known as ‘strong customer authentication’ (SCA) and is meant to supplement the PSD2.

The most important component of SCA is the two-factor authentication. The system uses two of the following security components.

Something the person knows:

password, PIN, or security answer

Something the person owns:

a mobile phone, hardware token, etc.

Something the person is:

biometrics such as fingerprint or face scan

Each of these elements must be independent of each other, so that the security of the others is not compromised in the event of a security breach. SCA as a whole must be designed logically in such a way that the confidentiality of the authentication data can be guaranteed at all times.

Exemptions from using SCA processes

According to the SCA regulation, some types of transactions are exempt from strong customer authentication. In certain exceptional cases, it is at the discretion of the merchants, issuers and acquirers whether SCA is required from the consumer or not.

With all exemptions, the respective authentication process remains invisible for the user: Transactions are carried out like transactions without 3D Secure, thereby guaranteeing a smooth customer experience.

Low-value transactions:

  • Low-value transactions under €30
  • The maximum number of subsequent transactions without SCA is 5
  • The maximum cumulative amount of transactions without SCA is €100 or for payments at the POS it is €150

Transactions with low security risk or TRA exemptions

  • Under the TRA (transaction risk analysis) exemption, payment service providers (PSPs) are allowed to not apply strong customer authentication (SCA).
  • For transactions above €30, a new procedure of risk-based authentication has to be put in place depending on the reference fraud rates of the acquiring bank and the issuer - not of the merchant
  • Acquirers and issuers have the capability of conducting ongoing risk analysis on transactions and make a risk-based decision, thus temporarily suspending the SCA
  • These are the limits that apply: €100 for a fraud rate of < 0.13; €250 for a fraud rate of < 0.06; €500 for a fraud rate of < 0.01

Subscriptions, corporate payments, or transactions based on a whitelist:

  • Recurring transactions with the same amount for the same purchase
  • The SCA is only required for the first transaction
  • Secure B2B payments via dedicated payment processes/protocols are exempt
  • The cardholders can whitelist merchants or beneficiaries together with their bank.

Transactions outside the scope of SCA:

  • Merchant-Initiated Transactions (MIT)* and Direct Debits
  • Telephone orders or in writing via fax or order form (MOTO)
  • Cross-border transactions where either the issuer or the acquirer is not located within the European Economic Area (EEA)
  • Purchases using anonymous payment methods, such as anonymous prepaid cards
*Merchant initiated transactions are payments that are initiated by you, the merchant (not your customer), relying on an agreement that you have in place with your customers allowing you to initiate payments on their behalf.
business, lady, woman

A smooth customer experience thanks to risk-based authentication (RBA)

Thanks to RBA, cart abandonment can be significantly reduced.

A process known as risk-based authentication can be applied to transactions of between €30 and €500 that have been classified as low-risk. Thanks to RBA, customers are spared additional authentication, and their experience is improved. If a transaction is classified as suspicious, customers can undergo additional authentication. The more transaction data is made available, the easier it is to assess the risks.

Benefits of RBA

  • Smoother payment process up to a value of €500
  • The security level, but with much less work
  • Better conversion and fewer abandened carts during the payment process
Back to 3D Secure v2

Get further advice and recommendations on SCA implementation >>

WE ARE HERE TO HELP
LET’S TALK!

Our Account Managers will support you in the process of integrating digital payments solutions to allow the best experience to your future customers.


    I confirm I have read the Privacy Policy*.

    According to the Data Protection Act 2018 UK, we inform you that your data will be processed by PayXpert LTD (“PayXpert”), with registration number 09647756. You can freely and voluntarily provide the information requested in the form except for the fields that appear as mandatory. The non-introduction of the information requested as mandatory may have the consequence that your request can not be addressed. This information has the purpose of managing your request and/or complaints raised before it for which you are giving your explicit consent. We inform you that you may exercise your rights of access, rectification, erasure, object, portability, restriction in processing and to be forgotten by contacting PayXpert at externalisation@dpo-consulting.com.

    Let's talk about payments!

    START SELLING WITH PAYXPERT NOW!
    Scroll to Top