Understanding Strong Customer Authentication
Strong Customer Authentication (SCA) is a European regulatory requirement under the Second Payment Services Directive (PSD2). The key objectives of SCA are to reduce fraud and make online payments more secure by introducing two-factor authentication on electronic payments.
This guide provides an overview of SCA and answers frequently asked questions about the feature.
- Recharge Checkout on Shopify
- Recharge Checkout on BigCommerce
Overview of SCA
Strong Customer Authentication (SCA) is the European Economic Area (EEA) regulatory directive that requires multi-factor authentication for online transactions to reduce fraud. For a transaction to be approved, customers must be authenticated with at least two of the following three elements:
- Knowledge – Something the customer knows (i.e. password)
- Possession – Something the customer has (i.e. phone)
- Inherence – Something the customer is (i.e. fingerprint)
Who is impacted by SCA
SCA is required on card transactions where both the merchant’s bank (“acquiring bank”) and the bank issuing the customer’s card are located within the European Economic Area (EEA).
The countries located within the EEA are:
- Austria
- Belgium
- Bulgaria
- Croatia
- Republic of Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Iceland
- Ireland
- Italy
- Latvia
- Liechtenstein
- Lithuania
- Luxembourg
- Malta
- The Netherlands
- Norway
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- The United Kingdom
SCA and your payment processor
Recharge has ensured that both checkout and recurring orders are compliant, requiring little to no effort from you. Depending on your payment processor, there may be additional action you need to take to ensure store compliance.
- Stripe – No action is required by merchants using Stripe to be SCA compliant with Recharge.
- Braintree – Recharge recommends that you email Braintree to determine if SCA impacts you. If impacted, contact Braintree requesting they enable 3D Secure 2 on your Braintree account. 3D Secure 2 is required to be SCA compliant.
- Authorize.net – Contact your Authorize.net representative for further details. In many cases, Recharge has already been in touch with merchants located in the EEA and using Authorize.net about next steps.
SCA and Recharge Payments
Checkout
Recharge has configured the checkout to handle SCA requirements.
If SCA verification is required for a checkout transaction, a modal will appear asking the customer to authenticate the payment. Once the customer completes the authentication, the charge will be processed.
Recurring charges
Recharge has configured recurring charges to handle SCA requirements.
It is expected that recurring charges will not require SCA verification because the transactions are identified as “merchant-initiated.” Merchant-initiated transactions fall outside the scope of SCA and do not require authentication.
In the event SCA verification is required for a recurring charge, an email notification is sent to the customer with a link to re-authenticate the payment. The customer can click the link, re-authenticate the payment, and their recurring charge will be processed.
Card updates
Recharge has configured the customer portal to handle SCA requirements.
In the event SCA verification is required when a customer is updating their card, a modal will populate and ask the customer to authenticate their card. After the customer authenticates their card, it is saved for future recurring charges.
API
You must implement SCA-compliant workflows in your application if your merchant account (or bank account) is located in the EEA and you:
- Sell to customers in the EEA
- Use the Recharge Checkout API or the Recharge Customer API to create customers with payment gateway tokens
Please consult your payment processor for the relevant documentation and whether it is required.
FAQ
Do I need to take action any action to comply with SCA?
In most cases, merchants do not have to take any further action. If you use Braintree or Authorize.net, you should contact their support teams to inquire about any additional steps.
You may also choose to update the Payment re-authentication notification to match your store's style and branding.
In the event that you are using the Recharge Checkout API to process checkouts or the Recharge Customer API to create customers with payment gateway tokens, you may need to work with your payment processor to ensure that your workflows are SCA compliant.
When did SCA go into effect?
Enforcement of SCA began on September 14, 2019, with a final deadline of December 31, 2020.
Most national regulators in the EEA made public announcements to extend the timeline of enforcement beyond September 14, 2019, to allow more time for the banks and payment industry to become compliant.
Can I edit the modal window that appears when a card needs to be authenticated?
No, the modal is controlled by the bank and, for security purposes, cannot be modified.
Can I edit the notification that is sent out to customers who need to re-authenticate?
Yes. This notification can be edited by clicking Settings, selecting Notifications, and editing the Payment re-authentication notification.