SCA is now a requirement in the UK after FCA deadline passes: what does it mean for B2B payments?
Strong Customer Authentication (SCA) implementation is now officially a requirement in the UK. Designed as part of the Second Payment Services Directive (PSD2) to protect online payments and decrease card-not-present (CNP) fraud, it requires additional cardholder authentication at the point of sale.
Business success depends upon trust. Trust in relationships, trust in products and services, and of course, trust in payments. Cashflow is the lifeblood of every business and the secure and timely transfer of accurate funds is something every company needs to manage.
The requirement for SCA aims to provide extra layers of security for eCommerce transactions, boosting trust in digital transactions. The core requirement of SCA in authorising a payment is the need for buyers to provide at least two of the following three identifiers:
- Knowledge - something only the user knows, such as a PIN or password.
- Possession - something only the user possesses, such as one-time password (OTP), usually shared by SMS to a pre-designated device.
- Inherence - something only the user is, such as fingerprints or other biometric identifiers.
SCA does not only apply to consumer-facing eCommerce transactions: UK businesses need to demonstrate compliance on all B2B eCommerce transactions in the European Economic Area (EEA), where both payer and payee are in the region.
Businesses must note that SCA applies to all online transactions unless they are out of scope or exempt.
Out of scope can apply to:
- MOTO (Mail Order / Telephone Order, but also includes email orders). This excludes payment link services that direct cardholders to a hosted payment page.
- One leg, i.e. if one party, either the issuer or acquirer, is located outside of the EEA/UK.
- Merchant Initiated Transactions (MIT) - variable, fixed and subscriptions are exempt (SCA only applies to the first recurring payment with subscriptions).
- Low value transactions (under €30 or up to five consecutive transactions of up to €100 total).
- Recurring payments of the same amount to the same merchant (typically SCA will only apply to the first payment).
- Secure B2B, commercial payments. It can be difficult for some B2B buyers to authenticate themselves due to specific restrictions on company devices. Typically, B2B buyers are considered ‘trusted’ as card replaces payment methods like bank transfer on specific payment terms.
- Understand your processing environments.
- Understand the client / cardholder’s payment mechanism (type of card).
- Work with a robust platform that is future proofed for new legislations.