Understanding Strong Customer Authentication

On the 2nd of November 1988, an ambitious Cornell University student called Robert Morris released a computer worm into the internet. Why? Well, mostly because he wanted to see if it could be done (it could). But also because he wanted to attract the attention of the Massachusetts Institute of Technology (MIT) (he did). The result? The worm went rogue, it literally broke the internet, and Morris was arrested (although he later became a tenured professor at MIT).

This is one of the earliest forms of internet fraud since it exploited weak passwords. And, while he caused a lot of chaos, Morris’ escapade helped improve internet security by highlighting a critical vulnerability.

Ever since then, legislators have sought to strengthen the internet against fraud attacks. This is no mean feat. The rise of the volume of online transactions is matched by the increasing sophistication of fraud techniques. So to clamp down on fraud and make online shopping safer, the EU (supported by its major banks) created the Revised Payments Services Directive (PSD2). A central part of this is strong customer authentication (SCA). Learn more about SCA and how it fits into PSD2 in the video summary below.

So what does all this mean in practical terms? How does SCA impact your business and what action do you need to take and when? In this article we’ll walk you through everything you need to know about SCA; what it is, how it works, and how you can implement it correctly.

As the name suggests, SCA is a more robust means of authentication. Rather than simply relying on a single password (which Morris proved back in 1988 to be extremely fallible), SCA requires two forms of authentication. This can be two of three things: something you know (a password), something you own (a smartphone), and something you are (biometrics).

As is often the case, the roll-out of PSD2 legislation was easier in theory than practice. The requirements were officially introduced on September 14, 2019. But the European Banking Authority then extended this deadline to December 31, 2020 because banks weren’t ready. As of now, however, all EEA countries are enforcing PSD2 SCA requirements, although final implementation in the UK has been delayed to March 14, 2022.

If you only sell to customers based in the UK, you have until next March. But, if you accept payments from customers based in the EEA, you need to be ready now.

We know that SCA requires two separate forms of identification. For example, a combination of a fingerprint and a code sent to your smartphone:

But implementing SCA will also depend on payment methods. For credit and debit cards, for example, 3D Secure is the authentication method used. All major card schemes have their own version of 3D Secure although the most widely known are Mastercard SecureCode and Verified-by-Visa. Its latest iteration (3D Secure 2) provides a much better user experience.

Local payment methods and e-wallets will also need to be subjected to strong authentication. And it’s worth getting these right, especially if you’re looking to sell to customers in the EEA. For example, we see the following local payment methods converting well:

International e-wallets like Apple Pay and Google Pay™ also provide checkout flows that meet the new SCA requirements. For more details, visit our SCA documentation page. 

The PSD2 SCA regulations are for banks. Issuing banks that approve non-compliant transactions are violating the law in their home country. But, if you don’t support the right authentication methods on your side, these banks will start declining your payment approval requests and your authorisation rates will plummet.

With PSD2, there’s both a long story and a short story. The short story is that SCA is mandated for all online transactions across the EEA. Easy. But of course it’s not as simple as that and there are in fact, many exemptions and other transactions are simply out of scope.

Many exemptions and out of scope scenarios depend on the bank, scheme, and regulatory interpretation. You can find a list of all the exemptions in the official Regulatory technical standards on strong customer authentication and secure communication under PSD2.

With Adyen, you can either choose for our Authentication Engine to handle PSD2 SCA compliance for you, or you can manage it yourself.

With the Adyen Authentication Engine, we won’t trigger 3D Secure for out of scope transactions or exemptions. We'll also skip 3D Secure if the issuing bank doesn’t enforce 3D Secure.

If you want to manage PSD2 SCA compliance yourself, Adyen offers two options. You can either:

For more information on how to implement any of these options, check out our SCA compliance docs page.