You may have heard that Europe passed some laws a few years ago (in 2015 & 2018) that require banks to put in place additional checks to authenticate online payments.
The rules, known as Strong Customer Authentication (SCA), were to be put into practice on September 14th, 2019. Well, that hasn’t happened. Why? Because the European Banking Authority also gave national regulators the option to postpone SCA enforcement for select banks and payment providers.
Pretty much all the countries in the EU have taken advantage of that stipulation and have postponed the full rollout of SCA in their respective countries. In most cases, the rollout has been postponed for 18 months or it will happen gradually post September 14th, 2019.
You can see the timeline for each country below.
Regardless of each country’s specific timetable for rolling out SCA, ChargeKeep is 100% ready now. Any customer using a ChargeKeep payment form will be fully authenticated using SCA.
Need an SCA-ready way to collect payments?
With ChargeKeep, you can be up and running in 5 minutes.
What is Strong Customer Authentication (SCA)?
SCA is just a fancy acronym for saying that additional steps will be added to a site’s checkout flow in order to prevent online fraud from happening. In short, to make sure that the person using a credit card to purchase something online is actually the card’s owner.
How will that work in practice? Well, once customers put in their credit card info online, but before the transaction is approved, they will be required to “authenticate” the transaction in two of three ways:
- Customers will need to provide something they know (such us a password or PIN)
- Customers will need to use something they have (such as a phone or hardware token)
- Or, customers will need to verify who they are (by using their fingerprint or via face recognition)
When is SCA required?
SCA applies to online customer payments initiated within Europe (and by “Europe” we mean the European Economic Area). There are some exceptions (such as recurring direct debits), but for the most part most card payments and all bank transfers will require SCA.
When will SCA be rolled out to all EU countries?
Not any time soon, and not on September 14th, is the short answer. At least not fully. Sweden is pretty much the only country that plans to start enforcing SCA on September 14th.
As far as the rest, their plans are basically up in the air. Here’s the vague guidance provided (so far) by each country.
Countries with a phased implementation plan:
- Belgium
- Italy
- The Netherlands
- Spain
Countries with a temporary extension:
- Austria
- Cyprus
- Finland
- Germany
- Ireland
- Luxembourg
- Malta
- Norway
- Poland
- Slovenia
Countries with an 18-month implementation period:
- Denmark
- France
- The UK
Countries with an 12-month implementation period:
- Hungary
How are payments authenticated?
The most common, current way to authenticate European cards is via 3D Secure 2, which is just an authentication standard that is supported by the majority of European cards.
How does this work in practice? Well, after a customer enters in their credit card details and click “buy,” banks will add an extra into the checkout flow that will prompt the cardholder to verify the transaction by proving a one time code (send to their phone), via their fingerprint, or through their mobile banking app.
Other payment methods such as Apple Pay or Google Pay already have a built-in layer of authentication.
Are all payments required to be authenticated?
Not exactly. Specific types of low-risk or low-value payments will be exempt from SCA. The most relevant exemptions for ChargeKeep users are:
- Transactions below €30 (There are some exceptions here based on how often this exemption has been used, but for the most-part, transactions below €30 will be safe)
- Fixed-amount subscriptions (Applies when a customer has made a series of recurring payments for the same amount to the same business. SCA will only be required on the customer’s first payment).
- Company-initiated transactions (Payments initiated by a company on a saved card are exempt, as long as the first payment – or the saving of the card itself – was authenticated).
- Trusted beneficiaries (When making a payment, customers will have the option to “whitelist” a company in order to prevent a future authentication).
- Corporate cards (Transactions using corporate or virtual cards, such as those used for travel expenses, are exempt).
Here’s the most important things to take note of: exemptions are not guaranteed and a cardholder’s bank will make the final decision as to whether or not a payment is exempt. We expect that there will be differences among banks as to which payments exemptions apply to.
What happens if an authentication fails?
If authentication fails, the payment will be resubmitted to the cardholder to be re authenticated. With ChargeKeep, this will happen automatically.
Ready to use SCA to collect payments?
With ChargeKeep, you can be up and running in 5 minutes.