Strong Customer Authentication (SCA) standards were introduced under EU law in 2021, aimed to protect customers as they access their accounts online or use their cards to shop online. As part of the ongoing rollout of Strong Customer Authentication (SCA), higher security standards will come into effect for certain card payments from Tuesday 8th March 2022. These payments are mainly recurring card payments such as subscription payments or transactions where the cardholders’ details are retained for future use.
From Tuesday 8th March, service providers or online retailers (also known as ‘merchants’) must process these payments in line with the security standards, otherwise some customers card transactions will be declined. In the coming weeks, card holders may receive notifications from merchants regarding transactions that are impacted. It is essential that cardholders follow the instructions provided by their merchant to avoid any interruption and to ensure continuity of service.
Cardholders who encounter any issues are advised to contact their merchant directly for further information to resolve the issue, as the payment agreement is between a cardholder and the merchant.
Throughout the implementation of these security standards, the wider eCommerce community including banks and payments service providers have continued to work with and support online merchants to ensure a smooth transition and to prevent any disruption to their business and customers.
Merchants should contact their Acquirer for further information on the above changes.
SCA for Online Shopping
Since 1st January 2021, under a European law known as the second Payment Services Directive or PSD2, there are changes to how you shop online.
These changes relate to the implementation of Strong Customer Authentication, also referred to as SCA. This means that you need to carry out an additional security step before you complete your online shopping.
These changes are being made right across the European Union and are designed to provide better protection for you, help reduce fraud and make shopping online even more secure.
How this is done depends on your bank and it is important that you read the information received from your bank and take any actions required to ensure you can continue to shop online If you are a retailer who has an online presence and you need support to implement SCA, contact your acquirer/gateway provider or your card scheme who will be happy to assist.
What is PSD2?
The second Payment Services Directive or PSD2 is a European law which came into full force on 14th September 2019 and which will make it more secure for you to make electronic payments when shopping online or using online banking services.
PSD2 aims to make payments safer, increase consumer protection and continue to foster innovation and competition while maintaining a level playing field for all parties.
While some elements of the PSD2 legislation have applied from 13th January 2018, the full rollout from September will result in changes to how you use digital payments channels and shop online by introducing added security rules referred as Strong Customer Authentication (SCA).
Each bank will communicate directly with their customers to explain how SCA will work for their accounts.
The legislation also allows for the secure provision of new services by Third Party Providers (TPPs), which is referred to as Open Banking.
Strong Customer Authentication (SCA)
What is SCA?
The principle of SCA is to increase security for electronic payments through the introduction of two factor authentication protocols. This is a security process in which you may be asked to verify your identity in two different ways such as with a password or a fingerprint . SCA will be used when accessing online payment accounts or shopping online. Customer authentication is in use today however with PSD2 it is likely to be used more frequently to provide enhanced security.
How is SCA applied?
Your identity will be authenticated using at least two of the following factors, each of which are independent of each other:
- Knowledge – something only you know e.g., password or PIN
- Possession – something only you have e.g. a card or mobile phone
- Inherence – something you are e.g. a fingerprint or voice recognition
Does strong customer authentication always apply?
PSD2 allows for the application of exemptions in some circumstances, however your bank may still choose to apply strong customer authentication if they believe the transaction requires it.
Under PSD2 the following exemptions may apply:
- Low value remote (online and mobile) transactions up to €30
Except: When a cumulative value of €100 is reached. Or when 5 payments of up to €30 have been made
- Contactless card payments up to €30
Except: When a cumulative value of €150 is reached. Or when 5 contactless payments of up to €30 have been made
- At unattended payment terminals for transport fares and parking fees
- Payments to trusted beneficiaries that you have set up through your bank
- Corporate initiated payments subject to Central Bank of Ireland security approval
- Accessing some account information – like account balance or 90 days’ worth of transactions
What is Open Banking?
Open Banking allows customers use the services of regulated Third Party Providers to provide the following:
- Payment Initiation Services
When buying goods or services online from a retailer you will be offered the option to pay directly from your bank account, using an authorised TPP, as an alternative to inputting your debit or credit card details. TPPs who offer this service are known as a Payment Initiation Service Provider – PISP
- Account Information Services
This allows you to use the services of an authorised TPP to help you manage your accounts in a better and more informed manner. TPPs who offer this service are known as an Account Information Service Provider – AISP.
If you choose to use these services, you must provide explicit consent to the TPP to do so.
You choose the services that a TPP can provide, and you can always choose to revoke consent at any time.
Therefore, you are always in control.
All TPPs are regulated by the Central Bank of Ireland or by the National Competent Authority of their home European Union state. Therefore, these TPPs are subject to strict security and data protection laws, similar to your bank. Your bank will check the TPP is regulated before they grant access to the TPP.
In addition, you can request information from the TPP, confirming they are a regulated entity, before you give consent.