Strong Customer Authentication: What you need to know

Blogs 25 Feb 2022

Since 14 March 2022, customers need to take extra steps to confirm their identity during online transactions under new Strong Customer Authentication rules. Find out what this means for your business and what you need to do.

Woman holding mobile phone and credit card to confirm online purchase

Online retailers must now comply with Strong Customer Authentication (SCA) rules. Non-compliant online card transactions will be declined from 14 March 2022 as the Financial Conduct Authority (FCA) enforces the new rules.

With UK Finance reporting more than £750 million in fraud in the first half of 2021 alone, the added security measures aim to protect consumers and businesses against fraud when shopping online. Whether you’re an e-commerce business selling products online, or a tourism business taking bookings through your website, find out what you need to know about SCA compliance.

What is Strong Customer Authentication?

New rules under the Payment Service Directive 2 (PSD2) mean that consumers are required to confirm their identity when purchasing online to improve payment security. Strong Customer Authentication (SCA) is a form of two-factor authentication, whereby extra steps are put in place for online card transactions to reduce card-not-present fraud.

Does this apply to small businesses?

Yes. All businesses are required to meet the SCA requirements or risk declined transactions. The FCA has issued guidance regarding how SCA applies to e-commerce. Don’t forget, SCA compliance is in addition to adhering to the Payment Card Industry Data Security Standard guidelines. You can learn more about how to become PCI compliant with our guide.

How to meet SCA requirements

So, how can you make sure your payments are compliant? Your customers are required to take further steps to confirm their identity as the cardholder to authenticate transactions. For example, a customer’s bank may ask them to verify a purchase with a one-time passcode via text or through their online banking app.

How are payments authenticated?

To be compliant, online payments must be authenticated by at least two of the following:

  • Something only the user knows, like a password
  • Something only the user possesses, such as a token or mobile phone
  • Something the user is, like a facial or fingerprint scan

You may need to change your payment process to meet the SCA requirements. You should contact your payment provider if you haven’t already to ensure all the necessary steps so that your business is compliant.

Are there any exemptions?

SCA compliance applies to card payments and bank transfers. Due to the concern around abandoned checkouts with increased user friction, regulators have stated that the following transactions will be exempt from SCA:

  • Recurring transactions and regular payments of the same amount to the same business, such as subscriptions
  • Low-value transactions under £30
  • Low-risk transactions that have been assessed in real-time by a fraud prevention solution
  • Transactions with trusted beneficiaries, where consumers can tell their bank to approve merchants they trust

Merchant-initiated transactions require authentication when the card is first saved or upon on first payment.

Free small business resources

Learn new skills with the Federation of Small Businesses. Explore hundreds of jargon-free articles, guides, webinars, training opportunities and more, all designed for small businesses and the self-employed.

Find out more