If you sell goods or services online, you have likely heard about the new requirements for banks and payment service providers to implement strong customer authentication (also known as SCA, two-factor authentication or multi-factor authentication). Under strong customer authentication, customers must provide two out of three possible verification methods for certain online transactions. For example, a password plus a mobile phone code, or a bank card number plus biometric evidence.
Businesses have until 14 March 2022 to ensure their payments systems comply with strong customer authentication. After that date, it is likely that customer payments will not be processed unless they meet the requirements.
What do I need to do now?
Your online business’s website and payment systems must comply with the strong customer authentication requirements by 14 March 2022. If you have not already done so, you should contact your bank or payment service provider to deploy a compliant solution and avoid your customers’ payment transactions failing after 14 March 2022.
If you use a large payment services provider (such as Stripe, PayPal or Square), it is likely that they have solutions available to ensure your transactions comply with the authentication requirements. Contact them to check what actions you may need to take, if any.
We’ve set out the basics of strong customer authentication below.
What is strong customer authentication (SCA)?
Strong customer authentication (SCA) is part of the European Union’s Payment Services Directive 2 (PSD2), which has been adopted by the UK, aimed at making online payments more secure.
Under the directive, customers buying online must provide two forms of identifying details when making a payment. Identifying details can be something the customer knows (passwords or pin codes), something the customer has (eg possession of a payment card or mobile phone) or something the customer is (eg biometric details like fingerprints or facial recognition). Often this means the user will have to enter a short code sent by SMS by their bank to verify a transaction.
Note that transactions processed through digital wallets (such as Apple Pay or Google Pay) will meet the strong customer authentication requirements automatically.
Does strong customer authentication apply to all online payments?
No. The authentication requirements will not apply to:
- any transactions where either the seller or buyer is outside the EEA;
- telephone or mail order payments.
Other types of payment transactions that may be exempted from the authentication requirements include:
- low value transactions, for example for those under £30;
- merchant initiated payments, for example subscriptions or direct debits (provided that the customer’s first subscription payment was authenticated using SCA);
- low risk transactions where the payment service provider has low levels of fraud on its platforms; and
- corporate payments (unless the corporate card is in the name of an individual).
Which exemptions are applied, and how the strong customer authentication will work, may depend on a bank or payment service provider’s systems and processes. Contact your payment service provider for more information on how this affects your business (you can also find more guidance on SCA on the Financial Conduct Authority’s website).
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.