Strong customer authentication

Enhance online payment security with Strong Customer Authentication (SCA) - a vital requirement under the PSD2 mandate, reducing fraud and boosting trust in e-commerce.

Overview

Required plan

This feature or setting is available to all customers on any Recurly subscription plan.

Definition

SCA is a European regulatory requirement designed to enhance the security of online payments and reduce fraud. It is a crucial aspect of the Revised Payment Services Directive (PSD2). SCA mandates additional authentication during online transactions, ensuring customers confirm their identity and thereby affirming their legitimate ownership of the credit card in use.

Key details

Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA), a key requirement of the Revised Payment Services Directive (PSD2), is a regulatory mandate set by the European Union to bolster the security of online payments and curb instances of fraud. Designed to increase confidence in the online payment ecosystem, SCA mandates the inclusion of an additional layer of authentication during the online checkout process.

To delve deeper, the SCA process necessitates that customers verify their identity, affirming their status as the legitimate holder of the credit card they are utilizing. This additional layer of security works to safeguard against unauthorized transactions and potential fraudulent activities by implementing a two-factor authentication (2FA) model, which includes two or more of the following elements:

  1. Something the customer knows (like a password or a PIN)
  2. Something the customer has (like a token or a smart card)
  3. Something the customer is (like a biometric characteristic, such as fingerprints)

In practical terms, businesses are required to integrate a 3D Secure (3DS) flow into their checkout systems to align with the SCA requirements. The 3DS protocol acts as an added layer of security, facilitating the exchange of data between the merchant, the card issuer, and, where necessary, the cardholder, to authenticate a transaction.

It is critical to note that SCA is applicable to all online transactions in which both the issuing and acquiring banks reside within the European Economic Area (EEA). Non-compliance could have significant ramifications, including potential transaction declines by banks if the necessary authentication has not been conducted.

In summary, SCA under the PSD2 directive is not just about ensuring secure online payments; it is about reshaping the online payment landscape into a more trusted and safer ecosystem for consumers, merchants, and banks alike. As the online world continues to evolve, so too does the importance of robust security measures like SCA.

Helpful resources

  • Adyen: Dive deeper into understanding PSD2 and its implications with Adyen.
  • Braintree: Navigate your preparations for PSD2 with this comprehensive guide from Braintree.
  • Stripe: Explore Stripe's detailed guide on Strong Customer Authentication under PSD2.
  • WorldPay: WorldPay's resource on PSD2 provides a global perspective on this regulation.
  • Cybersource: Learn about the intersection of 3D Secure and PSD2 with Cybersource.

FAQs

Q: Do I need to worry about PSD2?
A: If your business bank or payment provider is in the European Economic Area (EEA) and you have customers there too, then yes, you need to get ready for PSD2 and make sure you have Strong Customer Authentication (SCA) in place. If either you or your customers are outside the EEA, then you don't need to worry about SCA.

Q: Where can I find more technical information on preparing for PSD2?
A: You can find all the technical details you need in our integration guide here.

Q: Will my checkout conversions change because of 3DS?
A: The first version of 3DS could lead to a drop in checkout conversions between 3-15%. But don't worry, the second version aims to limit this to a maximum of 5%. But remember, these numbers can change depending on your country. (Statistics provided by WorldPay)

Q: What's the effect of 3DS on authorization rates?
A: If you're new to 3DS, you can expect your authorization rates to go up from about 84% to 92% with the first version. The second version aims to push this up to 95%. (Statistics provided by WorldPay)

Q: Can 3DS help me reduce fraud?
A: Yes, businesses not using 3DS reported fraud rates of about 0.29%. With the first version of 3DS, this went down to 0.12%. It's hoped the second version will reduce this even further to 0.05%. (Statistics provided by WorldPay)

Q: Will 3DS slow down my transactions?
A: Generally, using 3DS could add up to 10 seconds to your transaction time. If an exemption is rejected and SCA is enforced, this could add another 1-2 seconds. (Statistics provided by WorldPay)

Q: Who can I turn to if I have more questions about PSD2, SCA, or 3DS?
A: While we're always here to help, your payment gateway should be your go-to resource for these kinds of questions. They'll be up to speed on how PSD2 and SCA might affect you and your customers.

Q: What about PayPal transactions?
A: No extra work needed here! PayPal will take care of Strong Customer Authentication in their "Pay with PayPal" process. We will also make sure our integration can handle recurring PayPal payments.

Q: Could 3DS be triggered on recurring payments that I initiate, especially if the value changes?
A: Yes, it's possible. Card issuers can challenge a transaction for any reason. Because of this, we're developing a "3DS dunning flow" to help you manage transactions that fail due to SCA and need to be re-authenticated by your customer.

Q: Will SCA be needed every time I re-bill a customer on a usage-based plan?
A: As long as the transaction is flagged as being started by the merchant (that's you), most re-bills shouldn't need SCA, even if the amount varies. But remember, card issuers have the final say and can ask for SCA on any transaction.

Q: I have a fixed subscription but the first month is prorated. Will the full charge in the second month need SCA?
A: Ideally, you should authenticate the full subscription amount when the customer signs up, even if the first month is prorated. After that, re-bills should generally not need SCA, as long as they're flagged as merchant-initiated. We'll take care of this for you.

Q: What if the original transaction happened before Sept 14, 2019? Will I need to authenticate all of these older transactions?
A: For renewals, we'll try to exempt these transactions from SCA by marking them as "merchant-initiated". This includes subscriptions that started before September 14, 2019. Our goal is to treat these as merchant-initiated so they won't need SCA when they renew on or after September 14.