Home Secure Consumer Authentication (SCA) Required for Intra-European eCommerce Beginning September

Secure Consumer Authentication (SCA) Required for Intra-European eCommerce Beginning September

To maintain compliance with the European Union’s Second Payment Services Directive (PSD2), merchants in Europe will have to perform Secure Consumer Authentication on most non-recurring transactions greater than €30 within the European Economic Area (EAA) starting September 14th. Secure Consumer Authentication, or SCA, refers to consumer authentication services with two factor authentication facilitated by a dynamic code or biometric verification.

These new regulations coming into effect on September 14th will increase the use of consumer authentication programs as 3D Secure 2.0 will be the primary authentication method for meeting these requirements. SCA requires two-factor authentication and banks will decline transactions that don’t complete this authentication.

Low-dollar and low risk transactions can be exempt from SCA. This includes recurring or merchant initiated transactions, corporate payments and payments under €30. Other transactions can be defined as low-risk and avoid SCA depending on the fraud rates of the acquiring and issuing banks involved in the transaction. For banks with fraud rates below 13 basis points, or 0.13 percent, transactions up to €100 can avoid SCA. If the acquiring and issuing banks involved have fraud rates below 6 basis points (0.06%) then only transactions greater than €250 require SCA. This threshold increases to €500 for acquiring and issuing banks with fraud rates less than 1 basis point, or 0.01 percent of transactions.

While consumer authentication or 3DS 2.0 will satisfy SCA requirements for credit and debit card transactions, the PSD2 applies to all electronic online payments, which includes bank account based payment methods like iDEAL, Sofort and others. This will require other methods of authentication that meet SCA requirements, which call for two of the following:

  • Something the customer knows (Static password or PIN)
  • Something the customer has (mobile device or hardware token)
  • Something the customer is (biometrics like fingerprint or facial recognition)

 

For more information:

Merchants can’t let ‘PSD2’ and ‘SCA’ be vague initials

© The Fraud Practice LLC 2012