Strong Customer Authentication

What internet businesses need to know about SCA

Last updated on November 15, 2018

Summary

On September 14, 2019, a new regulation for authentication will be introduced in Europe. Known as Strong Customer Authentication (SCA), this regulation will apply to online payments within the European Economic Area (EEA) where the cardholder’s bank and the business’s payment provider are both in the EEA. Some businesses outside of Europe may also be impacted depending on how European issuers implement the new authentication rules.

SCA requires that businesses use two independent authentication elements to verify payments. Transactions that don’t meet these new authentication requirements or qualify for any exemption may be declined starting September 14, 2019. 3D Secure 2—the new version of 3D Secure rolling out in 2019—will be the primary authentication method used to meet SCA requirements for card payments.

Stripe is building solutions to make it easy for you to comply with the new regulation and minimize the impact on conversion. We have released a beta of a new SCA-ready API—PaymentIntents, that lets you dynamically apply 3D Secure whenever it is required or there is high fraud risk. PaymentIntents will provide support for 3D Secure 2 automatically in early 2019. As soon as SCA requirements go into effect, PaymentIntents will dynamically trigger 3D Secure 2 when required and apply exemptions to SCA requirements when possible.

Currently in beta, you can find more about this API here. Over the coming months, we’ll be expanding the API’s functionality and releasing additional updates to other Stripe products to help you prepare for SCA.

Introduction

Combating fraud is a challenge for businesses of all sizes. In a fraud study we ran, we found that fraud that is not properly addressed can cost up to 3% of a business’s annual revenue.

While there are many ways for businesses to fight fraud—from using machine learning to predict and prevent fraud, to manually reviewing payments—one particularly effective method is to use authentication. Authentication involves verifying a customer’s identity before accepting an online payment. It can be single-factor (such as a password), two-factor (such as a one-time authentication code, along with a password), or multi-factor.

Currently, the most common way of authenticating a card payment relies on 3D Secure 1—an authentication standard supported by most major card networks. It’s often better known by its branded names, such as “Verified by Visa” or “Mastercard SecureCode”. Applying 3D Secure often means that you’re redirecting your customers away from your website or app and onto an external page where they’ll be asked by their bank to provide additional information to complete a payment. Although the additional steps required to complete 3D Secure add friction to your checkout experience, they also drastically reduce the likelihood of fraud. In fact, if a payment is successfully authenticated using 3D Secure, the liability for a dispute due to fraud will shift from your business to the cardholder’s bank.

In order to stop the rise of fraud, the European Union is introducing new regulation that will require European businesses to implement even stricter authentication flows into their payment experience. Known as Strong Customer Authentication (SCA), this regulation is part of a broader European payments law, the second Payment Services Directive (PSD2).

What is Strong Customer Authentication?

Strong Customer Authentication is a new mandatory requirement for authenticating online payments that will be introduced in Europe on September 14, 2019. It will require payments to be authenticated using at least two of the following three elements:

Something the customer KNOWS (e.g., password or security question)
Something the customer HAS (e.g., phone or hardware token)
Something the customer IS (e.g., fingerprint or face ID)
  1. Something that only the customer knows

    For example, a password, PIN, or response to a security question that is known only to the customer. Card data, such as card number, CVV, or expiration date is not considered a valid knowledge factor by the European Banking Authority or regulators in Germany (BaFin) and France (Banque de France).

  2. Something that only the customer has or possesses

    For example, a hardware token, mobile phone, or other device that is in the customer’s possession.

  3. Something that the customer is

    For example, a biometric such as a fingerprint, facial recognition, or iris scan. Detection of unique behavioral patterns, such as keystroke analysis will also qualify as a valid biometric (although this technology currently has low adoption among European banks).

Starting September 14, 2019, unauthenticated payments that require SCA will need to be declined by the customer’s bank. These payments will then have to be re-submitted to the customer with a request for Strong Customer Authentication. (If you would like to read the full SCA requirements, they are set out in the Regulatory Technical Standards or RTS.)

3D Secure 2—the new version of the 3D Secure authentication standard rolling out in 2019—will be the main method for authenticating card payments and meeting these requirements.

Payment methods such as Apple Pay, iDEAL or Bancontact already use an additional layer of authentication (e.g. biometrics or passwords). We are working directly with the providers of these payment methods and others to confirm that they will meet the SCA guidelines and whether the user experience will change to ensure compliance with the requirements.

Note: Full operational details on how SCA will be implemented and enforced by the payments industry are still being worked out, so this guide covers the current state and information available as of November, 2018. Sign up to stay informed on regulatory and product updates.

Will all payments require Strong Customer Authentication?

Strong Customer Authentication will apply to customer-initiated online payments within Europe. Most card payments and all credit transfers will require Strong Customer Authentication. Recurring direct debits are considered merchant-initiated and will not require SCA.

A card payment will be in scope of the regulation if the cardholder’s bank and the business’s payment provider are both located in the European Economic Area (EEA). In the case of Stripe, we provide regulated services in the EU through our UK entity, which is part of the EEA. Although not legally within scope of the regulation, we expect a minority of European issuers to require SCA for all payments with their cards regardless of where the business is based. We are working with card issuers and networks to understand the impact for non-European businesses who serve European customers.

Exemptions to Strong Customer Authentication

Under this new regulation, specific types of payments may be exempted from having to apply Strong Customer Authentication. Payment providers like Stripe will be able to request these exemptions on your behalf when processing the payment. The cardholder’s bank will then make a decision on whether to grant or reject the request for exemption.

The most relevant exemptions to internet businesses are:

  1. Transactions below €30

    A payment will be considered a “low value transaction” and be exempted if it’s below €30. However, SCA will be required if the card or payment method has seen more than five exempt transactions or the sum of these exempted transactions exceeds €100. The card holder’s bank or payment method provider will be responsible for tracking the number of times a payment method has been used and deciding whether the exemption can still be used.

  2. Low-risk transactions

    A payment provider (like Stripe) will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This is only possible if the payment provider’s fraud rates do not exceed the following thresholds for card payments:

    • 0.13% for transactions up to €100
    • 0.06% for transactions up to €250
    • 0.01% for transactions up to €500

    In analyzing risk, payment providers will have to assess factors including abnormal behavior or spending, previous purchase patterns, and location of customer and business. (Stripe Radar already uses machine learning to automatically perform similar assessments and prevent fraud).

    The European Banking Authority (EBA) requires the fraud rate to be assessed at the payment provider level, as it cannot be assessed on an individual basis for a specific merchant.

  3. Subscriptions

    This exemption will apply when the customer makes a series of recurring payments for the same amount to the same business. SCA will be required for the customer’s first payment to the business, but not for subsequent payments.

    While subscription payments are often periodic and directed to the same business, an increasing number of companies charge variable amounts (also known as metered billing). Unless regulatory authorities agree to categorize those transactions as merchant-initiated transactions, these types of payments would not be covered by this exemption.

  4. Whitelisted trusted beneficiaries

    Customers may have the option to whitelist businesses they trust. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank. SCA will be required for the customer’s first payment to the business, but not for subsequent payments. SCA will also be required when the customer creates, confirms, or amends the whitelist.

    There are no limitations in terms of the transaction amount, number of transactions, or period since SCA was last performed, and whitelisting applies to both card payments and credit transfers.

    While whitelisting has the potential to make repeat purchases or subscriptions more convenient for customers, adoption of this feature across issuing banks has been slow. We expect that it will not be broadly implemented by card issuers by September 2019, but will support this exemption for our users when available.

  5. Secure corporate payments

    This exemption covers payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector). Regulation only allows the cardholder’s bank to request this exemption as neither the business nor the payment provider are able to detect whether a card belongs to these categories.

How Stripe helps you prepare for Strong Customer Authentication

We are building solutions to help you navigate this complex regulation and offer better authentication experiences to your customers. We have released a beta of a new SCA-ready API—PaymentIntents, which lets you dynamically apply 3D Secure whenever it is required or there is high fraud risk. We will seamlessly add support for 3D Secure 2 on PaymentIntents before the progressive rollout among card issuers in April, 2019. The upgrade from 3D Secure 1 to 3D Secure 2 on this API will be automatic and won’t require any changes to existing PaymentIntents integrations.

As soon as SCA requirements go into effect, PaymentIntents will dynamically trigger 3D Secure 2 when required and apply exemptions to SCA when possible. Currently in beta, you can find out more about this new, SCA-ready API, here.

Over the coming months, we’ll be adding support for non-card payments on PaymentIntents and releasing additional updates to other Stripe products like Stripe Billing and Checkout to help you prepare for Strong Customer Authentication.

If you have any questions or feedback, please let us know!

Back to guides