New European regulation that internet businesses need to know about
On 14 September 2019, new requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2).
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments once SCA goes into effect, you will need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.
Banks will need to start declining payments that require SCA and don’t meet these criteria. Although we anticipate gradual enforcement of SCA, we expect the first banks to start declining payments without two-factor authentication on 14 September. (If you would like to read the original SCA requirements, they are set out in the Regulatory Technical Standards or RTS.)
When is Strong Customer Authentication required?
Strong Customer Authentication will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA. Recurring direct debits, on the other hand, are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.
For online card payments, these requirements will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). (We expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.)