SCA: Why Do I Care?

What is SCA?

Strong Customer Authentication (SCA) is being introduced by the financial services industry across the EU. It is aimed at making online payment transactions more secure by introducing extra authentication into the payment process. For instance, in addition to entering your card details to pay for something online, you might also have to enter a PIN that you have just been sent to your phone.

If your website takes online payments then you may have to make changes for SCA.

From Wikipedia: Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The SCA requirement comes into force from 14 September 2019. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip or Contactless and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement.

When Does SCA Happen?

14th September 2019 was going to be the date when SCA had to be fully operational for everybody. However, the FCA have changed this to become a start date with an 18 month period by when SCA has to be fully implemented.

This means that some banks and card companies may introduce extra authentication as early as 14th September and some may wait up to a further 18 months. We don’t know! However, what we do know is that if your website is not ready for SCA and somebody tries to pay for something online and their bank requires the extra authentication, the payment will fail. Therefore, although there is no legal requirement to have your website SCA compliant by 14th September, you might want it to be compliant sooner rather than later so you do not miss out on payments.

You will need to decide for yourself whether you feel it is better to be ready asap or whether it is better to defer the work and wait to see what happens.

Will I Need To Do Something?

There are different ways that websites can be set up to take payments. Two of the most common ways are:

  • Card details are directly entered into a page on your website (such as our domain management system as shown in the screenshot below)
  • Card details are entered into a page that is separate to your website and is provided by a card processing company (such as the WorldPay payment page shown below)
RPM_Domains_Screenshot
RPM Domains Screenshot
WorldPay Screenshot
WorldPay Screenshot

If your website simply links to a page that is separate to your website (such as the WorldPay example above) then check with the card processor to make sure that they are changing their system and that they do not need you to do anything.

If your website takes payments on a page in your site then you will almost certainly need changes made so please read on …

How Will My Website Need To Change?

With SCA, when a customer enters their card details into your website to make a payment to you, there could be three outcomes:

  1. Everything’s ok, the charge goes through (as now)
  2. Something’s wrong, the charge fails (as now)
  3. Further authentication is required to decide whether or not the charge will go through – this is the new bit!

Further authentication can include a number of things (such as entering a PIN, receiving a code to your mobile, confirming with your fingerprint, answering a security question, …). Different banks/card companies will be using different things for different transactions and different circumstances.

That further authentication will result in your website having to ask an extra question (eg “enter the code number just sent to your phone”). The website will then have to send that off to the card processor to check to see whether your customer has entered the correct details before it is decided whether the transactions is successful or not.

This video shows some test transactions so you can see how things might work with SCA on your website. Note that the popups you see here are from a test card processing system. Real live popups will ask you to enter the authentication response, not just click a button!

 

What needs to be done?

If you have card processing built in to your website then your website needs extra functionality built in to it to handle authentications. This includes handling extra communication with the card processor and, through them, to the bank. As a result, although the payment forms and messages you show your customer may remain largely unchanged (depending on how that communicates with your website’s server code and to the card processor), most of your site’s payment processing (behind the scenes) will change. In addition, your site may have to communicate with a different system/product from the card processor.

However, the plus side of this is that the processing flow can be more streamlined and, if required (and depending on your site and the card processor you use) may be able to be fully achieved all on one page. The lower drop-out rates you obtain from using an on-site payment solution can be further improved with a complete single-page solution. With the example you saw above (our domain renewal system) you will see that we have left the site using two pages (a payment page and a thank you page) but this could have been further streamlined into one page, maybe for you this might offer the opportunity to offer up-sells or cross-sells etc.

If you have the enthusiasm to work through a before and after payment processing flow then you may find these helpful:

non SCA payment flow
Non-SCA Payment Flow
SCA Payment Flow
SCA Payment Flow

 

What To Do Next?

Drop us an email to when you are ready to look into this further and we’ll check out how your website needs to change to incorporate SCA.