Payments Toolkit – Strong Customer Authentication (SCA)
New payment legislation coming into force this September could mean you’re left in an uncomfortable situation of dealing with declined card transactions. Read this guide to find out why this is happening so you can reassure your customers and spare them any embarrassment.
What is Strong Customer Authentication (SCA)
From the 14th September this year, cardholders will be required to authenticate themselves before a transaction is completed, a process called Strong Customer Authentication (SCA).
All electronic payments, whether face to face or remote, will require SCA. This authentication can be face to face, online or over the phone and must use at least two independent factors. These factors can be something the customer knows (i.e. a unique passphrase), something the customer is (i.e. a fingerprint scan) or something the customer possesses (i.e. a mobile phone). A chip and PIN transaction in store already adheres to SCA, and a Contactless transaction is exempt from the regulation, but has increased security on the frequency of use, so independent retailers need to understand this change and ensure they are compliant ahead of the 14th September 2019 deadline.
What this guide contains
- What’s happening
- When it’s happening
- What to do
- How to inform your customers
- Customer notice – download and print
- Other useful resources
In January 2007, the EU Payment Services Directive (PSD) took effect and with it, introduced new laws aimed at reducing online fraud and protecting our consumer rights. In January 2018, the second Payment Services Directive (PSD2) came into force. An important element of PSD2 is the introduction of SCA on 14 September 2019 for in-store and online transactions which is a requirement for payments to be validated using a two-factor authentication process.
Will SCA apply to all transactions?
The Bira SCA Toolkit:
What will you have to do?
Making sure your staff know what is happening is key, for example for face to face transactions let them know that some of your customers that are paying by contactless may be asked to insert their card and enter their pin. In this instance it would be useful for you or your staff to let the customer know that there are no problems with their card, it is simply an extra security check requested by their card provider. You could print and display the signage (anchor link to bottom of the page to download POS) to help explain SCA to your customers.
The changes you need to make for SCA depend on the type of transactions you process. Please refer to the following sections to see what you need to do for different payment methods.
Face to Face Transactions+
– Chip and PIN transactions – these already comply with the SCA requirement for two factor authentication. Your customer is in possession of their card and they know their PIN
– Transactions made using a mobile device – devices like mobile phones also comply with SCA as the customer is in possession of their phone, and use a fingerprint or facial recognition to uniquely identify themselves.
– Contactless Payments – these don’t fulfil the requirement for two factor authentication but are exempt from the SCA requirement. However, additional security requirements may be requested by the card issuer. A new decline code is being introduced that will ask the cardholder to complete a chip and PIN transaction where that extra security is required.
What do I need to do?
Contact your terminal providers to discuss the decline code changes needed for the step up from a Contactless to chip and PIN transaction. For Bira members on the Global Payments card processing scheme, there is no requirement for you to contact them, Global Payments will ensure these changes are made.
Then it’s really down to ensuring that you and your staff understand what’s happening and are ready to reassure cardholders that there’s no problem with their card or their account, just that it’s an extra security check requested by their card issuer.
MOTO and Merchant Initiated Transactions+
– While MOTO and Merchant Initiated Transactions (Stored Credential Transactions, also known as Credential on File Transactions, where card details are stored for future use), are out of scope for SCA, if the card issuer doesn’t know they’re one of these kinds of transactions, they may request SCA. If the cardholder is unable to provide the necessary authentication, the transaction will be declined.
What do I need to do?
It’s critical that all transactions are flagged correctly.
If you rent your terminal from Global Payments or use our E-Commerce Platform, they’ve made all the necessary changes to ensure transactions contain the correct flags. If you own or rent your terminal from another source or use a third-party provider for your ecommerce service, contact them immediately to ensure your transactions are flagged correctly.
– Payments made via a website require SCA. These transactions must now support 3D Secure, which is the ecommerce authentication protocol by the Card Schemes, such as Mastercard and Visa. This allows the cardholder to authenticate themselves as the genuine holder of the card. Under PSD2, card issuers are obliged to challenge and potentially decline transactions that don’t comply.
What do I need to do?
If you use the Global Payments E-Commerce Platform (previously Realex Payments), this will support 3DS2 from September 2019. You should have already received communications from them about the changes you need to make to comply with the new SCA requirements. If you’ve any questions about the changes or would like more information on our E-Commerce Platform, please email email@example.com.
If you use a third-party provider for your ecommerce services, you need to review the way in which you accept card payments. Please speak to your solution provider to make sure your solution is up to date with all the flagging requirements and that they’re making changes for the SCA mandate. Our 3DS2 solution may be used alongside your existing gateway solution, if required. You can contact Global Payments on the email above for help with this.
3DS2, will eventually replace 3DS1. However, this won’t 2021 be until later in 2021, so both will need to work together.
New Authentication Fees from September 2019
Visa are introducing a fee for Verified by Visa authentications, their 3D Secure 2 solution, from September 2019. This mirrors what Mastercard charge for using their SecureCode service. From 1st September 2019, the current Mastercard SecureCode Fee will change to include Visa ecommerce transactions as well. The fee will remain the same.
More details of the technical requirements for SCA can be found on Global Payments website here.
How to inform your customers
This legislation, particularly for Contactless payments, could lead to potentially embarrassing situations for your customers if you aren’t aware of why they’re being asked for this authentication. So you and your staff can be fully aware of what’s happening and what to say you your customers, we’ve created this useful download for you to print out and leave by your tills.
Why not print a few extra few to hand out to some of your neighbouring shops?Download signage
• Remember, these changes are being made to increase consumer protection, improve payment security and prevent fraud, which will benefit your business.
• It’s important that you understand what the SCA requirements are and that your staff are prepared.
• If you own or rent your terminal from another source or use a third party provider other than Global Payments for your ecommerce service, contact them immediately to ensure they’re making the necessary changes.
Useful links and resources
• Download your SCA signage here
• Visit the Strong Customer Authentication section of the Global Payments website for more information.
In partnership with Global Payments