Are your clients preparing for an extra layer of authentication for online payments?
In September, Strong Customer Authentication (or SCA) will have significant implications on how all businesses handle online transactions in the European Economic Area (EEA), where both payer and payee are in the region.
SCA, part of the PSD2 changes, requires an extra layer of authentication for online payments. It requires the use of two independent sources of validation by selecting a combination of two out of the three categories (two-factor authentication):
something you know (e.g. PIN)
something you have (e.g. card/phone)
something you are (e.g. fingerprint).
Many businesses will need to consider how they operate and advisers will need to consider how the change could impact their clients. The good news is that a number of exemptions exist, as outlined in this useful summary.
These exemptions includes that ‘when the transaction is initiated by a legal person (e.g. a business) rather than a consumer, and it is processed through a secured dedicated payment protocol, the Commission is satisfied that it does not require separate authentication, provided alternative controls are sufficiently secure.’
Certain transactions are also exempted, such as recurring payments and purchases under €30. But even some of the low-value transactions may be challenged, for example if the combined value of several unchallenged transactions goes above €100. Businesses may also need to consider if they should point out to customers that they can ‘whitelist’ businesses with their card issuer. This will mean that they would not need to authenticate themselves for future purchases.
However, much depends on how card providers set up their systems and the options available.
We will provide further updates over the coming months.