SCA regulation or “Strong Customer Authentication” is an online payment law passed by European Union (EU) on September 14th, 2019. The law is expected to be fully enforced by December 31st, 2020, giving organizations some time to comply – if they operate or have clients within the EU.

In order to support SCA regulation, you need to first determine if your business is impacted and then make all necessary changes to avoid declined payments.

Because InvoiceBerry is based in the United Kingdom and has payment integrations with Stripe, PayPal, Square and WePay, we were sure to follow the new authentication guidelines from the very beginning.

We take security and fraud prevention very seriously and want nothing to stand in the way of customers getting their invoices paid as quickly and easily as possible.

Now we wan’t to help better inform your understanding of the regulation and it’s potential implications. So here goes!

What exactly is the SCA Regulation?

Strong Customer Authentication is a measure that was devised by the EU to improve online payment security. The aim is to reduce fraudulent activity by having customers go through additional verification steps when conducting online purchases.

In accordance with SCA regulation, the authentication process will need to utilize at least two of the three possible authentication methods. These 3 methods are:

For more in-depth information regarding the verification processes, read here.

If your business accepts cards and is based in the European Economic Area (EEA) or you create payments on behalf of connected accounts based in the EEA, SCA likely applies.

But use this handy SCA Decision Tree created by one of HSBC’s preferred suppliers for card processing in the UK, Global Payments, to figure out whether you need to worry about being SCA compliant.

SCA regulation is ultimately another measure to protect buyers and their credit card details from fraudsters. Now, in most cases when you want to pay for something online, there will two authentications.

Maybe (as per usual) you’ll first be prompted to enter your CVV code. Then another popup might appear requiring you to input a code sent to your mobile banking app or maybe it’ll be an SMS code. Time will tell, as will the context.

Regardless, for the sake of our InvoiceBerry integrations, we got ourselves ready so customers could rest assured that when they send an invoice to clients using our software, their payments can be received without issues.

InvoiceBerry’s commitment to SCA Compliance

The advantages of accepting card payments are undeniable. That’s why we’ve made it our mission to guarantee to enable secure and convenient transactions.

As mentioned above, our online invoicing solution makes conducting business easier by implementing a number of payment methods customers can seamlessly integrate onto their invoices. In fact, this is what the InvoiceBerry payments page looks like:

The options are seemingly endless, right?! It’s a big point of pride providing customers with the option of having their InvoiceBerry invoices include safe payment processing options. Each link is unique to a specific invoice and takes payees to a page where payment information can be entered.

When a bill is settled up, the payment from the payee’s bank card is authorized and the money is then placed directly into the InvoiceBerry user’s business account. Cha-ching!

Our Stripe, Square and PayPal payment integrations are all ready for SCA regulation. To demonstrate, we ran a test on Stripe so you could see what the second SCA authentication step might look like for a payer and here’s the test popup:

Rest assured, we’ve covered our bases and stand SCA-Ready to serve.

SCA Regulation Exemptions

It’s worth noting that there are also some exemptions that may not require authentication. The most popular examples include:

Low-risk transactions

Payment providers are permitted to converted to local equivalent amounts and perform their own real-time risk analysis to determine whether SCA should be applied to each transaction. If the payment provider’s or bank’s overall fraud rates for card payments do not exceed certain thresholds:

• 0.13% to exempt transactions below €100
• 0.06% to exempt transactions below €250
• 0.01% to exempt transactions below €500

If it’s a scenario whereby the payment provider’s fraud rate is lower than the threshold, but the cardholder’s bank is above it, the bank is within it’s right to decline the exemption and require customer authentication.

So in order to maximize your conversions, it really is in your business’ best interest to ensure SCA compliance.

Payments below €30

An exemption may be used for small payments that are considered “low value” in nature. However, the cardholder’s bank will be actively tracking the number of times an exemption has been used.

If the “payments below €30” exemption is used five times since the cardholder’s last successful authentication, the bank is again mandated to request authentication. The same goes if the sum of previously exempted payments exceeds €100.

Fixed-amount subscriptions

This exemption might be good news for subscription based business since it can apply whenever customers makes a series of recurring payments for the same amount, to the same business.

Nevertheless, SCA will be required for the customer’s first payment even if subsequent charges are be exempted.

Merchant-initiated transactions

If your business relies on delayed payments, variable amount subscriptions, or bills customers for add-ons, then merchant initiated transaction exemptions could apply.

This type of stored credential or credential on file transaction requires card authentication either when being saved or during initial payment. You’ll need to draw up an agreement or mandate that the customer signs onto giving consent to charge their card at a later point.

Even though payments made with already authenticated saved cards will likely fall outside the scope of SCA, the bank will have the final word on whether or not they require repeat authentication.

Phone sales

Card details collected over the phone fall will outside the scope of SCA and will not require authentication. But this type of “Mail Order and Telephone Order” (MOTO) payment will definitely be flagged.

The cardholder’s bank will then be the final decision maker on whether to accept or reject the transaction. So be sure to take note and follow up with your bank if your business happens to be one that accepts payments over the phone.

When it’s all said and done, it’s imperative that all transactions are flagged correctly so do everything in your power to enable this.

The future of SCA

It’s important to mention that there many kinks that are still being worked out prior to full SCA implementation. The revised Payment Services Directive (PSD2) went into effect as planned, but the SCA part of the regulation was put on hold due to the nuanced nature of the EEA region.

Barriers like language, government and smaller cultural differences prevent the realization of a simple cookie cutter strategy. It’s also hypothesized that additional payment authentication steps could introduce friction to customers’ online user experiences.

It’s a bit of a catch-22 because as a business you’ll want to provide a fully friction-free offering, but this would inevitably open your business and clients up for attack. On the other hand, if you create the most secure service in the world, the barrier to entry might be so high that customers shy away.

For the sake of greater risk reduction, SCA’s two factor authentication will hopefully strike the right balance and become the new accepted norm soon enough. Until then, we’re here if you have any questions or qualms.