What is Strong Customer Authentication (SCA)?
Strong Customer Authentication (SCA) is where the customer is required by their bank to provide information from two of the following categories to authenticate a transaction:
- Knowledge – something they know – e.g. PIN, passcode, memorable information, etc.
- Possession – something they have – e.g. a card, key fob, phone, etc.
- Inherence – something they are – e.g. fingerprint, iris scan, facial recognition, voice, etc.
These two categories of information must be independent of each other, in that if one is compromised, it can't be used to obtain the others. e.g. Someone who only has possession of a security pass (Possession) should not be able to use this to authorise the reset of their password (Knowledge).
Strong Customer Authentication (SCA) is supported by Trust Payments using EMV 3DS authentication.
What is PSD2?
The Revised Directive on Payment Services (PSD2) is a set of laws and regulations for payment services in the EU and EEA. If you are processing eCommerce transactions (ECOM), this directive mandates that you fulfil the following requirements:
- If your business operates from one the countries in which PSD2 is in effect (refer to our list below), you must support SCA.
- And crucially, if the customer's card issuer is also located in one of these countries, SCA must be attempted for all transactions or a valid SCA exemption is applied.
In order to meet these requirements, you must deploy EMV 3-D Secure (3DS).
What does this mean if I process Mail Order, Telephone Order transactions (MOTO)?
Mail Order, Telephone Order transactions (MOTO) lie outside the scope of PSD2 requirements for Strong Customer Authentication (SCA). This means you can safely process MOTO transactions without needing to concern yourself with the requirements above.
What does this mean if I process other Merchant Initiated Transactions (MIT) (e.g. Recurring)?
The initial customer-initiated transaction performed when the payment agreement is made (in an eCommerce environment) remains within the scope of PSD2 requirements for Strong Customer Authentication (SCA).
Subsequent Merchant-Initiated Transactions (MIT) (e.g. Recurring payments) must include the scheme reference data from the initial customer-initiated transaction. This data is returned in the response of the customer-initiated transaction. Click here to learn more.
What is EMV 3-D Secure (3DS)?
EMV 3DS (3-D Secure) is a form of Strong Customer Authentication (SCA) supported by Trust Payments in order to meet the requirements defined under the PSD2 mandate.
It allows card issuers to provide an extra level of protection, by authenticating cardholders at the point of sale if requested by the card scheme or merchant (typically in situations where there is a greater perceived risk of fraud).
SCA can only be performed when the customer is present at time of purchase. As a result, exclusions apply for Merchant-Initiated (MIT) or Mail Order, Telephone Order (MOTO) transactions, where the customer is not available to respond in the case of step-up authentication (SCA challenge) to provide further information.
If the customer is successfully authenticated as part of the EMV 3DS process and it is later determined that fraud has been committed, the card issuer will often take financial responsibility for the chargeback. This is subject to terms and conditions defined by the card schemes. Click here to learn more about the liability shift.
Thanks to enhanced screening supported by the latest version 2 standard, many customers will not encounter any interruptions to their checkout experience in order to verify their identity, in what is known as a "Frictionless" checkout.
Following the checks above, the card issuer may decide a customer requires to be authenticated by supplementing the payment details they have entered (Possession) with either a PIN or password (Knowledge) or fingerprint / facial recognition (Inherence). These more stringent checkout experiences are referred to as "Step up" or "Challenge". Common examples of authentication methods are:
The authentication methods deployed during a challenge are determined by the card issuer and cannot be affected by the merchant.
There are certain checkout flows that require you to trigger step-up authentication manually.
Click here to learn more.
How do I ensure EMV 3DS is enabled for my integration?
List of PSD2-mandated countries
Republic of Cyprus