As of the 14th September 2019, new requirements have been outlined for the processing and authentication of online payments. This new legislation aims to improve on the previous PSD1 guidelines by strengthening consumer rights and adding increased levels of security on consumer transactions.
What is SCA?
Strong customer authentication, otherwise known as SCA, is the name of the regulation published by the European union that affects online payments. In order to accept online payments, you must adhere to the guidelines and requirements. SCA sets out the rules that must be followed by all online payment companies and businesses. Banks will decline any payments that do not abide by SCA.
What are the PSD2 SCA requirements?
In an effort to reduce fraud, the requirements for processing an online payment now require that any two of the following checks take place and are confirmed:
- Knowledge - this could be in the form of a password or pin code.
- Possession - using a device such as a mobile phone to confirm the person making the payment
- Inheritance - technology such as fingerprint scanners or facial recognition to verify their identity.
When does SCA PSD2 apply?
SCA applies to all face-to-face and digital transactions, however, payments under €30 are not subject to the two checks stated above. It’s also worth noting that chip and pin transactions are already compliant to SCA PSD2 because of the information held with your bank and the requirement of your personal PIN code.
Subscription payments may also qualify for exemption from SCA checks after the initial payment. For example, if you subscribe to a service that charges you monthly, it’s likely that the consumer would only have to provide 2 forms of identification during the sign up process.
A customer can also inform their bank of any businesses they’d like to permit to process payments without SCA checks. The business will be known as a ‘trusted beneficiary’ for the customer, and the bank or payment provider can authenticate payments without requiring two forms of identification.
Corporate transactions are also unlikely to require SCA checks by the payment processor. This is only the case when the payment is being made by a business and not an individual, and processed through a secure payment portal.