Alicia Fernández

Alicia Fernández

All about Marketing, business development and fitness :)

Introducing Strong Customer Authentication (SCA) for E-commerce

What is SCA?

Strong Customer Authentication (SCA)* is a new regulation taking effect on September 14, 2019 that requires merchants to use multiple methods of verifying customers’ identities. To help you comply with the new requirements — and make sure your sales don’t take an unnecessary hit — you can lay the groundwork now.

Starting in September, merchants accepting online payments will need to use two independent authentication methods to verify that a customer is who they say they are.

Introducing Strong Customer Authentication (SCA)
Authentication methods may be a password, Face ID, or a push notification.

What kinds of authentication are acceptable?

SCA allows for three different authentication methods — something the customer knows, something the customer has, and something the customer is. To succeed, a transaction has to use two of the three.

What does that mean in practice?

  • Asking for a piece of information only the customer knows, like their password or the answer to a security question.
  • Sending verifying information to something the customer controls, like a hardware token or a push notification sent to their phone.
  • Using a physical identifier unique to the customer, like a fingerprint or Face ID.

What do I need to do to prepare?

Adopt your payment gateways to use 3D Secure 2 – an update to the 3D Secure system – as their main method of complying with SCA. During checkout, the payment gateway will prompt the customer to provide the additional authentication elements, and the order will only be completed once they do that successfully.

Some payment methods, like Apple Pay, already incorporate these elements and should be unaffected by SCA.


Does SCA apply to merchants outside of the European Economic Area?

Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all 27 European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.

What happens on/after September 14, 2019?

If your online store’s payment gateway has an EEA presence and is not SCA ready, EEA issued payment methods are likely to be declined during checkout.

Are any transactions exempt?

Yes: Low-value transactions (below € 30) will usually not require SCA. However, SCA will be required after five exempt transactions or if the total amount spent by the customer exceeds € 100.

What about subscriptions?

SCA applies to subscriptions, too. After September 14, 2019, your customers will have to authenticate the first payment on their subscription. If there is a change in the subscription payment amount, they’ll also have to re-authenticate for subsequent renewals.

Expert help, at your service

Do you have an e-commerce store and need implementation? Drop us a line, we will gladly inform you. Of course, our e-commerce solutions include Strong Customer Authentication (SCA) out-of-the box.

Care to share if you liked it?

Share on facebook
Share on twitter
Share on linkedin
Share on email

More to explore

Productivity and Leap day

Hi there, It’s leap month! I’m thrilled about the extra day and have wild plans that involve some chocolate and staying in

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Need Help? Chat with us
Please accept our privacy policy first to start a conversation.