Contact us | Membership Enquiries 0800 028 0245 | Search

Payments Toolkit – Strong Customer Authentication (SCA)


New payment legislation that has come into force could mean you’re left in an uncomfortable situation of dealing with declined card transactions.
Read this guide to find out why this has happened so you can reassure your customers and spare them any embarrassment.

What is Strong Customer Authentication (SCA)

In January 2018, the European Payment Services Directive II (PSD2) took effect and with it introduced new laws aimed at reducing online fraud and protecting consumer rights. An important element of PSD2 is the introduction of SCA for in-store and online transactions which is a requirement for payments to be validated using a two-factor authentication process.

Whilst PSD2 came into force on 14th September 2019, the FCA announced on Friday 28th June 2019 that it will not enforce the full requirements of PSD2 to give both financial institutions and merchants further time to prepare to support the legislation.

PSD2 outlines that secure authentication uses two independent form factors in both the face to face and online transaction. These factors can be something the customer knows (i.e. a unique passphrase), something the customer is (i.e. a fingerprint scan) or something the customer possesses (i.e. a mobile phone). A Chip and PIN transaction in store already adheres to SCA, with contactless transactions  subject to  usage and value limits before further authentication is required. A new decline code has been introduced that will ask the cardholder to complete a Chip and PIN transaction where that extra authentication is required.

If merchants are not SCA compliant then card issuers may be obliged to decline certain transactions. In turn many businesses could see a spike in card declines if they don’t put the right measures in place.

Once SCA has come into force, your business and customers will benefit from increased levels of security and a reduced risk of fraud.

What this guide contains

  • What’s happening
  • When it’s happening
  • What to do
  • How to inform your customers
  • Customer notice – download and print
  • Other useful resources

 

Will SCA apply to all transactions?

Check what types of transactions will be affected by SCA


The Bira SCA Toolkit:
 

What do you need to do?

Making sure your staff know what is happening is key, for example for face to face transactions let them know that some of your customers that are paying by contactless may be asked to insert their card and enter their PIN. In this instance it would be useful for you or your staff to let the customer know that there are no problems with their card, it is simply an extra security check requested by their card provider. You could print and display the signage (anchor link to bottom of the page to download POS) to help explain SCA to your customers.

The changes you need to make for SCA depends on the type of transactions you process. Please refer to the following sections to see what you need to do for different payment methods.

Face to Face Transactions+

Chip and PIN transactions – these already comply with the SCA requirement for two factor authentication. Your customer is in possession of their card and they know their PIN

Transactions made using a mobile device – devices like mobile phones also comply with SCA as the customer is in possession of their phone, and use a fingerprint or facial recognition to uniquely identify themselves.

Contactless Payments – are exempt from the regulation.  However, there  are limits to the use of this exemption and additional security requirements may be requested by the card issuer. A new decline code has been introduced that will ask the cardholder to complete a Chip and PIN transaction where that extra security is required.

What do I need to do?

Contact your terminal providers to discuss the decline code changes needed for the step up from a Contactless to Chip and PIN transaction. For Bira members on the Global Payments card processing scheme, there is no requirement for you to contact them, Global Payments will ensure these changes are made.

Then it’s really down to ensuring that you and your staff understand what’s happening and are ready to reassure cardholders that there’s no problem with their card or their account, just that it’s an extra security check requested by their card issuer.

MOTO and Merchant Initiated Transactions+

– While MOTO (Mail Order Transactions) and Merchant Initiated Transactions (Stored Credential Transactions, also known as Credential on File Transactions, where card details are stored for future use), are out of scope for SCA, if the card issuer doesn’t know they’re one of these kinds of transactions, they may request SCA. If the cardholder is unable to provide the necessary authentication, the transaction will be declined.

What do I need to do?

It’s critical that all transactions are flagged correctly.

If you use the Global Payments E-Commerce Platform – previously Realex Payments, their  Global Payments Credential on File Solution and Channel flags provides you with all the tools you need to correctly identify MOTO and MIT  transactions.

If you use a third-party provider for your ecommerce services, you need to review the way in which you accept card payments. Please speak to your solution provider to make sure your solution is up to date with all the flagging requirements and that they’re making changes for the SCA mandate. The Global Payments 3DS 2 solution may be used alongside your existing gateway solution, if required. You can contact Global Payments on the email above for help with this.

For mail order/telephone order (MOTO) transactions you’ll need to ensure your Online Terminal supports the correct flagging to make sure these transactions remain out of scope of SCA.

Ecommerce Transactions+

– Payments made via a website require SCA. These transactions must now support 3D Secure, which is the ecommerce authentication protocol by the Card Schemes, such as Mastercard and Visa. This allows the cardholder to authenticate themselves as the genuine holder of the card. Under PSD2, card issuers are obliged to challenge and potentially decline transactions that don’t comply.

What do I need to do?

If you use the Global Payments E-Commerce Platform – previously Realex Payments, their  Global Payments 3D Secure Solution provides you with all the tools you need to perform authentication using both 3DS 2 and 3DS1. You can dynamically switch to the most appropriate solution depending on Issuer support.

If you use a third-party provider for your ecommerce services, you need to review the way in which you accept card payments. Please speak to your solution provider to make sure your solution is up to date with all the flagging requirements and that they’re making changes for the SCA mandate. The Global Payments 3DS 2 solution may be used alongside your existing gateway solution, if required. You can contact Global Payments on the email above for help with this.

New Authentication Fees from September 2019

Visa are introducing a fee for Visa Secure, their 3D Secure 2 solution, from September 2019. This mirrors what Mastercard charge for using their Identity Check service. From 1st September 2019, the current Mastercard identity Check Fee will change to include Visa ecommerce transactions as well. The fee will remain the same.

Mastercard SecureCode Fee

More details of the technical requirements for SCA can be found on the Global Payments website here.

How to inform your customers

This legislation, particularly for Contactless payments, could lead to potentially embarrassing situations for your customers if you aren’t aware of why they’re being asked for this authentication. So you and your staff can be fully aware of what’s happening and what to say to your customers, we’ve created this useful download for you to print out and leave by your tills.

Why not print a few extra few to hand out to some of your neighbouring shops?

Download your SCA signage


In summary

  • Remember, these changes are being made to increase consumer protection, improve payment security and prevent fraud, which will benefit your business.
  • It’s important that you understand what the SCA requirements are and that your staff are prepared.
  • If you own or rent your terminal from another source or use a third party provider other than Global Payments for your ecommerce service, contact them immediately to ensure they’re making the necessary changes.

Useful links and resources

Download your SCA signage 
•Visit the Strong Customer Authentication section of the Global Payments website for more information.

In partnership with Global Payments

Top