fbpx

Strong Customer Authentication (SCA) Compliance

Remember the Strong Customer Authentication (SCA) regulations? Based on everything that has happened in 2020, it’d be understandable if you didn’t. These regulations technically went into effect back in September of 2019 but the deadline was pushed and they are finally about to be enforced across Europe. 

If your bank is …

  1. based in the European Economic Area (EEA) and 
  2. you have customers who are also located in the EEA and 
  3. you are using an onsite payment processor such as Stripe, Braintree or Authorize.net CIM 

… then your business’ ability to process payments will likely be affected when these regulations are enforced.

Read on for more information about the MemberMouse features (available in v2.3.0 and above) that allow you to comply with these regulations, as well as proactive and reactive steps to take to minimize your exposure to these changes.


What Is SCA & Why Should You Care?

If this is the first time you’re hearing about it, SCA stands for Strong Customer Authentication. 

It’s a new payment requirement that was introduced as a part of the European Union’s Revised Payment Services Directive (PSD2) on September 14th, 2019. Its goal is to provide consumers with an additional layer of protection for online payments and to minimize fraudulent payment attempts.

Important Note: Currently, SCA only applies to businesses and consumers within the European Economic Area which includes the EU member states as well as the UK, Iceland, Liechtenstein and Norway.

Here’s an excerpt from Stripe’s guide on SCA you may find helpful:

“Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.”

Image Credit: Stripe

 

Although SCA went into effect on September 14th, 2019, poor compliance issues and confusion around implementation caused the European Banking Authority (EBA) to grant an extension to businesses before enforcing the new requirements.

That being said, the deadline for enforcement is right around the corner.

On October 16th, 2020, The EBA announced that SCA compliance will be fully enforced on December 31st, 2020 in the European Economic Area.

However, due to the COVID-19 pandemic, the UK regulator announced a revised enforcement date of September 14th, 2021. This same enforcement date also applies to Switzerland.

Despite these official dates, gradual enforcement of SCA requirements have already begun. According to Stripe, some banks have started to decline a portion of payments that aren’t SCA-ready.

To get all of the details regarding SCA and its enforcement, we recommend you review the following resources:


What does this mean for you?

If the bank account you use for your online business is based in the EEA and your customers are also based in Europe, you will need to comply with these new SCA security standards.

This excerpt from Braintree’s guide to SCA compliance clearly explains who will be impacted by this change:

“SCA will be required on card transactions in which both the merchant’s acquiring bank and the bank issuing the buyer’s debit or credit card are located within the European Economic Area (EEA). The affected countries/regions include: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (including Gibraltar, Guernsey, Jersey, and the Isle of Man).”

TL;DR: If your business and customers are in Europe and the UK, SCA applies to you.


 How SCA Impacts The Different Payment Providers
Stripe & Braintree

Stripe and Braintree will both be relying on 3D Secure 2.0 to provide authentication. 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (such as, a one-time code sent to their phone or fingerprint authentication through their mobile banking app).

In September 2019, MemberMouse added support for Stripe Elements and Braintree Hosted Fields which are SCA-ready and use 3D Secure 2.0. As of January 2021, these are enabled by default in MemberMouse v2.4.0+

PayPal

MemberMouse uses the PayPal hosted integration which means that your customers are automatically directed from your website to PayPal once they’re ready to pay. And since PayPal hosts the payment process, PayPal will augment their “Pay with PayPal” user flow to handle the new Strong Customer Authentication requirements. There will be no work required by merchants.

Authorize.net (CIM)

The Authorize.net payment solution is only available to businesses physically located in the United States or Canada. Currently, SCA regulations only apply to European businesses with European customers.

Because of this, Authorize.net falls outside of the scope of SCA regulations and has not been updated for compliance. Authorize.net is connected with another solution called Cybersource, which is their recommended payment service provider for European-based businesses. 

MemberMouse does not integrate with Cybersource. We will continue to support our Authorize.net integration as is. However, if you are based in the EEA and use Authorize.net (CIM), then our recommendation is that you evaluate other payment provider options such as Stripe.


What We've Done To Help You Prepare For SCA

 

In September of 2019, we released MemberMouse version 2.3.0 which includes support for Stripe Elements and Braintree Hosted Fields. These are SCA-ready and use 3D Secure 2.0.

For merchants located in the European Economic Area (EEA), activation of this feature will allow you to comply with the Strong Customer Authentication requirement of the Revised Payment Services Directive (PSD2).

When Stripe Elements or Braintree Hosted Fields are enabled, your customer may be asked to complete an extra step at checkout where they are prompted by their bank to provide additional information (such as, a one-time code sent to their phone) before the payment will be processed.

Then, in October of 2019, we released MemberMouse version 2.3.1 which included enhancements to the styling for Stripe Elements checkout; functionality for the Braintree 3DSecure checkout; and a review of both of the SCA Payment Gateways to ensure PCI compliance is maintained in all situations.

These updates made it possible for you to be in compliance with SCA when it originally went into effect in September of 2019. 

Was this article helpful?

Related Articles