Total Processing > Blog > Payments > Why is Strong Customer Authentication important?

Why is Strong Customer Authentication important?

Why is Strong Customer Authentication important?


Faye Duncan


04 Apr 2023

Read time

4 Minutes



Back in 2016, in Europe, fraudulent activity from card use amounted to a huge €1.8billion, 73% of that was from card-not-present (CNP) transactions. So, there’s no wonder something had to be done to tackle this.

That’s where Strong Customer Authentication (SCA) came in. But what is it and how will SCA impact your business? Let’s take a look…

What is Strong Customer Authentication?

The sole purpose of Strong Customer Authentication is to make payments more secure. It does this by requiring additional information from the customer when trying to make a purchase via a debit or credit card.

It’s part of the Revised Payment Services Directive (PSD2), a set of laws and regulations for payment services in the UK, EU and EEA, to reduce the risk of fraud for online and offline contactless payments.

Examples of SCA

There are three levels of authentication: something they know, something they own and something they are. When making a purchase, the customer will be asked to provide two of them. But what information is actually required? It’s more than likely that everyone has provided authentication at some point without even realising it, but let’s take a look at the main examples.

Examples of SCA come under three categories: knowledge (something they know), possession (something they own) and inherence (something they are)

When is Strong Customer Authentication required?

SCA is required when a customer uses their card online or via a contactless offline payment; it’s classed as a ‘customer-initiated’ payment. The checks are required when both the cardholder’s bank and the merchant’s bank are based in the European Economic Area (EEA). So, if the merchant is in America, for example, then it’s not required.

If a business fails to comply with SCA, the Financial Conduct Authority (FCA) may have to step in to enforce action. So, it’s very important that your business takes this seriously.  

How does Strong Customer Authentication work?

There are a few ways in which SCA can be implemented depending on the method of payment. There’s the obvious PIN for offline card payments, but for online card payments, the most common way is to apply 3D Secure 2. This protocol adds an extra layer of security often via two-factor authentication, for example, the customer’s usual password, plus a one-time passcode sent to their device.

Alternative payment methods, like Apple Pay, often already have an authentication in place, such as biometrics, like facial recognition. This form of authentication is used so often these days. It’s even used just to unlock a smartphone, so many consumers don’t see it as a friction point anymore; it’s just part of the process.

Exemptions to Strong Customer Authentication

Can you imagine having to authenticate a payment every single time? You won’t be alone if you’d find that pretty annoying. That’s why there are some types of payments that don’t always need to go through SCA. Ultimately, it’s up to the bank, but Total Processing can help you put exemption requests in place if the additional security checks don’t seem necessary, just to improve the flow for the customer.

Although to avoid any exemptions being rejected by the bank, each transaction will need to be flagged with the correct type of payment.

Low-risk transactions

Since SCA has been introduced to lower the risk of fraud, it’s not surprising that low-risk transactions are often the most common exemption. However, there are fraud rate thresholds that the payment provider or bank cannot exceed to grant this:

Low-value transactions

The lower the value of a transaction, the lower the risk, so it won’t come as a surprise that there’s a set value where SCA is more likely to be exempt; this value is €30. Transactions below this value can be completed up to five times before some kind of authentication is required, or if the total value of previous transactions reaches €100. The cardholder’s bank will keep track of the value and amount of transactions made to determine whether authentication is needed.

Contactless payments

This exemption is potentially the one that your consumers will be most used to nowadays, especially with contactless payments. The value has increased over recent years due to the COVID-19 pandemic to encourage more contactless payments. Currently, a consumer can spend £100 per transaction without having to go through SCA. However, once the total value hits £300, additional checks will be requested, for example, they may need to enter their PIN.

Recurring transactions

Netflix is the perfect example! Once a customer has signed up for a subscription, or another recurring-based model, and has passed all the relevant checks, as long as the payment is the same every month, there will be no more SCA requirements.

Merchant-initiated transactions

Similar to recurring payments, a merchant-initiated transaction can skip SCA once the customer has passed the initial authentication. This type of payment saves the customer’s card details so that the payment can be taken at regular intervals but the value can vary, like a utility bill.

Trusted seller

The customers themselves also have the option to add a business they trust to a whitelist. So if they regularly shop online from a particular website, they won’t have to authenticate the payment every time. Perfect for those shopaholics who love a good haul!

Phone sales

Phone sales, also known as Mail Order and Telephone Orders, don’t require SCA either. So if a customer is providing card details over the phone, they shouldn’t need to be authenticated first. However, it goes without saying, that providing card details over the phone, should always be done with caution.

Corporate payments

B2B transactions, such as employee expenses, can also be exempt from SCA.

Potential impact on your business

We all know preventing fraud is really important; it protects both the customer and your business. But there may still be occasions that it could have a negative impact.

One of the main reasons a consumer may abandon their shopping cart is because the checkout page is too complicated. Add in more security checks and this could instantly put them off, especially those consumers who aren’t used to shopping online and are already unsure about the security risks.

So, what can you do to prevent that loss of sales?

  • Inform your customers about why additional checks are required
  • Offer multiple payment methods so they can use their preferred option
  • Make the rest of your checkout page as simple as possible

Need specific information about how SCA will impact your business and how to implement it? Get in touch with our experts today.

Ready To Start
Accepting payments?