SCA is now a requirement in the UK after FCA deadline passes: what does it mean for B2B payments?

Strong Customer Authentication (SCA) implementation is now officially a requirement in the UK. Designed as part of the Second Payment Services Directive (PSD2) to protect online payments and decrease card-not-present (CNP) fraud, it requires additional cardholder authentication at the point of sale.

Business success depends upon trust. Trust in relationships, trust in products and services, and of course, trust in payments. Cashflow is the lifeblood of every business and the secure and timely transfer of accurate funds is something every company needs to manage.

The requirement for SCA aims to provide extra layers of security for eCommerce transactions, boosting trust in digital transactions. The core requirement of SCA in authorising a payment is the need for buyers to provide at least two of the following three identifiers:

Knowledge - something only the user knows, such as a PIN or password.
Possession - something only the user possesses, such as one-time password (OTP), usually shared by SMS to a pre-designated device.
Inherence - something only the user is, such as fingerprints or other biometric identifiers.

These must be independent of one another, so that if one were compromised, it would not impact the credibility of the others.

SCA does not only apply to consumer-facing eCommerce transactions: UK businesses need to demonstrate compliance on all B2B eCommerce transactions in the European Economic Area (EEA), where both payer and payee are in the region.

Businesses must note that SCA applies to all online transactions unless they are out of scope or exempt.

Out of scope can apply to:

MOTO (Mail Order / Telephone Order, but also includes email orders). This excludes payment link services that direct cardholders to a hosted payment page.
One leg, i.e. if one party, either the issuer or acquirer, is located outside of the EEA/UK.
Merchant Initiated Transactions (MIT) - variable, fixed and subscriptions are exempt (SCA only applies to the first recurring payment with subscriptions).

Exemptions depend on the individual issuer’s preference as to whether SCA is applied, but can include:

Low value transactions (under €30 or up to five consecutive transactions of up to €100 total).
Recurring payments of the same amount to the same merchant (typically SCA will only apply to the first payment).
Secure B2B, commercial payments. It can be difficult for some B2B buyers to authenticate themselves due to specific restrictions on company devices. Typically, B2B buyers are considered ‘trusted’ as card replaces payment methods like bank transfer on specific payment terms.

Merchants of all sizes should consider the following when it comes to SCA:

Understand your processing environments.
Understand the client / cardholder’s payment mechanism (type of card).
Work with a robust platform that is future proofed for new legislations.

To find out more about SCA requirements and compliance, listen to our podcast – PaymentsCast, Episode 1: An introduction to SCA for B2B organisations – or get in touch.

Ready to get started?

Access the Adflex API and test drive our technology.

Start coding

Our experts are available to help reach your goals.

Talk to us

We use cookies to ensure you get the best experience on our website. By continuing to use this site, you consent to the use of cookies. For more information about our use of cookies, please read our Cookie Policy. Accept Cookies

SCA is now a requirement in the UK after FCA deadline passes: what does it mean for B2B payments?

Solutions

Developers

Company

Security