Strong Customer Authentication - SCA

Overview

On September 14, 2019, new requirements for authenticating online payments were introduced in Europe as part of the second Payment Services Directive (PSD2).

In this guide, we’ll take a closer look at these new requirements known as Strong Customer Authentication (SCA) and how it will impact merchants using Taxamo’s Checkout page. Finally, we’ll cover the exemptions that can be used for low-risk transactions to offer a frictionless checkout experience.

Exemptions to Strong Customer Authentication

Under this new regulation, specific types of low-risk payments may be exempted from Strong Customer Authentication.

Payment providers like Stripe, PayPal and Braintree will be able to request these exemptions when processing the payment. The cardholder’s bank will then receive the request, assess the risk level of the transaction, and ultimately decide whether to approve the exemption or whether authentication is still necessary.

The most relevant exemptions for internet businesses are:

Low-risk transactions

A payment provider will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s or bank’s overall fraud rates for card payments do not exceed the following thresholds:

0.13% to exempt transactions below €100
0.06% to exempt transactions below €250
0.01% to exempt transactions below €500

These thresholds will be converted to local equivalent amounts where relevant.
In cases, where only the payment provider’s fraud rate is below the threshold, but the cardholder’s bank is above it, it is expected that the bank to decline the exemption and require authentication.

Payments below €30

This is another exemption that can be used for payments of a low amount. Transactions below €30 will be considered “low value” and may be exempted from SCA. Banks will, however, need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.

Fixed-amount subscriptions

This exemption can apply when the customer makes a series of recurring payments for the same amount, to the same business. SCA will be required for the customer’s first payment—subsequent charges, however, may be exempted from SCA.

Merchant-initiated transactions (including variable subscriptions)

Payments made with saved cards when the customer is not present in the checkout flow may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA. In practice, marking a payment as a “merchant-initiated transaction” will be similar to requesting an exemption. And like any other exemption, it will still be up to the bank to decide whether authentication is needed for the transaction.

To use merchant-initiated transactions, you will need to authenticate the card either when it’s being saved or on the first payment. Finally, you will need to get an agreement from the customer (also referred to as a “mandate”), in order to charge their card at a later point.

When is Strong Customer Authentication required?

Strong Customer Authentication will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA. Recurring direct debits, on the other hand, are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.

For online card payments, these requirements will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). (It is expected that SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.)

Using the Taxamo Checkout form

Stripe

Taxamo’s Checkout Form is using the newest Stripe API that provides support for the SCA requirements. If you use the Taxamo Checkout Form with Stripe you will be PSD2 ready, and for most merchants, there should be no further development needed.

When authentication is required Taxamo will redirect to the customer’s bank page for authentication, after which the customer will return to the Taxamo Checkout Form.

Please see the following link to the Stripe documentation for more on SCA: https://stripe.com/gb/payments/strong-customer-authentication

Please see the below instructions on how to enable SCA for the Taxamo Checkout form when Stripe is Payment Service Provider

V1 - Stripe
(Your Taxamo dashboard login page will be blue)
We have a new setting in your Taxamo account to turn on SCA for your Taxamo Checkout, This setting can be found by logging into the Taxamo dashboard, going to My account > Taxamo Checkout, and the setting is called Strong Customer Authentication
Please enable this for both test and live modes please click here to go to the Taxamo dashboard

V2 - Stripe
(Your Taxamo dashboard login page will be white)
We have a new setting in your Taxamo account to turn on SCA for your Taxamo Checkout, This setting can be found by logging into the Taxamo dashboard, going to Settings > Stripe, and the setting is called Strong Customer Authentication
Please enable this for both test and live modes please click here to go to the Taxamo dashboard

Note: There is a separate setting in both Test and Live modes

Further information on Stripe billing notifications please go to
https://dashboard.stripe.com/account/billing/automatic

PayPal

Good news!
PayPal automatically upgraded your online checkout – so you’ll be PSD2 ready.

Braintree

Good news!
Taxamo has upgraded your checkout – so you’ll be PSD2 ready and for most merchants, there should be no further development needed but please test transactions in advance of the 14th of September.

Please see the below instructions on how to enable SCA for the Taxamo Checkout form when Braintree is Payment Service Provider

Braintree
We have a new setting in your Taxamo account to turn on SCA for your Taxamo Checkout, This setting can be found by logging into the Taxamo dashboard, going to My account > Taxamo Checkout, and the setting is called Strong Customer Authentication
Please enable this for both test and live modes please click here to go to the Taxamo dashboard

More information about Braintree here: https://www.braintreepayments.com/ie/features/3d-secure#merchant-resources