Back to Blog Posts

Strong Customer Authentication: What is it and how does it affect you?

By Matt / August 20th, 2019

As data breaches and online fraud continue to plague enterprises - despite more money and time going into strengthening security - it is increasingly important for businesses to provide more secure and more innovative payment methods. To help them achieve this, many online payments will soon need to be verified by Strong Customer Authentication (SCA).

What is strong customer authentication?
Strong Customer Authentication (SCA) is a new European requirement that will come into regulation beginning 14 September 2019 as part of the Payment Services Directive 2 (PSD2). It was created to enhance the security of online payments and reduce fraud and requires businesses that provide online transactions to build additional authentication into their checkout flow.

Essentially Strong Customer Authentication mandates that rather than relying on the traditional method of entering a password as has been common under 3D Secure for many years, customers will now need to provide a second factor of authentication that verifies their identity.

Providing Strong Customer Authentication
The goal is for businesses and banks to be as confident as possible that the person pertaining to be the card holder is actually the card holder. SCA aims to provide this by asking customers to provide two of the following three factors of authentification with every payment:
  • Knowledge: Something only the customer knows, such as a password or PIN
  • Possession: Something only the customer possesses, such as a mobile device or hardware token
  • Inherence: Something only the customer is, such as a fingerprint or iris and facial recognition
Most commonly this will take the form of requiring the card holder to enter a 6 digit code that is texted to the card holder by the issuing bank and will fall under the Possession

When will Strong Customer Authentication be required
SCA will apply to 'customer-initiated' online payments throughout Europe, which means most card payments and all bank transfers will require it. Recurring direct debits are considered 'merchant-initiated', so will not require SCA, and neither will in-person card payments.

As of 14 September 2019, banks will start rolling out PSD2. However, the roll out will be a gradual process, so don't expect payments to suddenly be affected overnight. Many banks have suggested the full roll out of SCA will take as long as 18 months to complete.

How to be ready for Strong Customer Authentication
With WHMCS, the following payment gateways all support 3D Secure, and many of the transactions you process today will already be performing 3D Secure using the SCA method of sending a verification code to the end user via SMS.

SagePay, WorldPay, PayPal Payments Pro, PayFlow Pro and Optimal Payments

If you use Stripe, you will need to ensure you are running WHMCS 7.8 or later in order to benefit from the integration updates that enable 3D Secure during checkout. In addition to providing 3D Secure support with SCA, the latest updates to Stripe include support for 3D Secure V2 which aims to provide a better customer experience during the checkout process.

To find out more about the upcoming SCA changes and how they affect your specific gateway provider, we recommend contacting your payment gateway support team.

We hope you found this post useful, and if you have any further questions, we invite you to ask them in the comments below.

Liked this article? Share it