For this article, we sat down with Rita Stankevičiūtė, Product Manager at ConnectPay, to discuss Strong Customer Authentication – what it is, what kinds of payments it applies to, and why B2C platforms should care about it to begin with.
Ever since the introduction of the Payments Services Directive 2 (PSD2) in 2015, certain types of payment have become subject to the Strong Customer Authentication (SCA) requirements stipulated by it. This move was necessary to reduce fraud and make online, as well as contactless offline, payments more secure. And banks were obligated to decline all payments that fall under the SCA requirements, but fail to meet their criteria.
So, what are those criteria? Basically, to be compliant, businesses must integrate at least two of the following three, additional elements into their checkout flows: something the customer knows (e.g., password or PIN), something the customer has (e.g., mobile device or hardware token), and something the customer is (e.g., face or voice recognition).
These requirements apply to “customer-initiated” online and contactless offline payments (e.g., bank transfers and digital wallet or card payments) within the UK or Europe. Some payments are exempt, whether by a provision included in the regulation itself or by simply being out of its scope. These exemptions include:
- Low-risk transactions. The exemption applies if the payment provider’s fraud rates for card payments do not exceed certain prescribed thresholds.
- Payments below €30/£25. However, once the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100/£85, banks are required to request authentication.
- Recurring payments. SCA applies for the customer’s first payment, while the subsequent ones are exempt, provided they’re all for the same amount and to the same business.
- Merchant-initiated transactions. Payments made with saved cards without the customer’s presence in the checkout flow are exempt from SCA. The card must first be authenticated when it’s being saved or on the first payment, and the customer must agree to his/her card being charged in such a way.
- Phone sales. Sometimes also referred to as Mail Order or Telephone Orders, these are exempt because card details collected over the phone fall outside the SCA’s proper scope.
- Corporate payments made with corporate cards used for managing employee travel expenses and held directly with an online travel agent are exempt. And so are corporate payments made using virtual card numbers.
- Trusted beneficiaries. In some cases, customers may have the option to allow a trusted business to skip authentication for all future purchases.
As you can see, these exemptions are inapplicable to most B2C companies, which means that your business would have to use its own resources to build the required digital infrastructure and implement the authentication features outlined above.
“This not only takes a good deal of time and money, but also requires businesses to take on multiple administrative burdens associated with highly sensitive legal matters. For instance, you would have to ensure secure storage of personal data, report to regulatory authorities, keep extensive logs and IP address lists, and perform other demanding, responsible tasks,” Rita said.
If your future plans include equipping your B2C platform with embedded financial services, it is best to put a Secure Customer Authentication tool in place from the get-go. This way, you’ll be able to avoid needless complications later on.
A key benefit of using ConnectPay as your all-in-one financial service provider is that it offers an easy-to-implement SCA process and handles most of the back-end operations on behalf of its customers.
“The problem with addressing the SCA issue when your platform has been up and running for some time is the cumbersome nature of adding new layers of code to an existing system. Not only that, you would also have to engage new providers for the different authentication features, which obviously would increase complexity even further,” Rita explained.
To help platforms avoid getting into this tangle, ConnectPay uses One-Time Password SMS authentication, which doesn’t require downloading any extra apps, and isn’t bound to any specific device. “It’s also a very safe solution because the message is valid for a limited time only and is strongly associated with a given payment. This means that a code issued to confirm a payment is valid only for 5 minutes creating limited time gap for unauthorized access to be done. After that time code becomes invalid and a customer would have to retry. But even this wouldn’t work, as the customer would simply enter the wrong code and would have to retry,” concluded Rita.
Don’t wait until problems start piling up and take your platform’s authentication system to the next level. If you’re unsure which type of authentication is best for your platform, or simply have questions for us, don’t hesitate to contact our friendly team and discover the way forward together.
