>   >   > 

Strong Customer Authentication (SCA)
Are you compliant?


From 14 September 2019, under PSD2, Payment Service Providers (PSPs) operating in Europe are required to apply Strong Customer Authentication (SCA) for e-commerce payment transactions.

What is SCA?

SCA requires that at least two out of three different authentication factors are provided, otherwise known as two-factor authentication (2FA). This can be something the customer has in their possession, something they know and something they are.

The elements must be mutually independent, so that the breach of one does not compromise the other(s).

By enabling the latest version of 3D Secure 2.0, businesses can prepare for PSD2 and comply with this SCA requirement for online payments.

When is SCA required

SCA is required when the payer:

    • Accesses his payment account online (e.g. home banking)
    • Initiates an electronic payment transaction
      • Applicable to all electronic transactions: face-to-face and remote (e-commerce, mobile, browser-based and in-app, but not MO-TO)
      • For remote transactions, SCA must include elements that dynamically link the transaction to a specific amount and a specific payee (dynamic link)
    • Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses (e.g. e-mandate for direct debit)

Source: MasterCard


SCA Exemption

One drawback to requesting authentication is that this can add friction to the payment process, risking cart abandonment during check-out. To mitigate this friction, PSPs can, in some instances,  apply SCA exemption.

There are three primary exemptions from SCA allowed that are relevant to online card payments:

    • Low Value Transactions
    • Merchant Initiated Transactions
    • Low Risk Transactions
SCA exemption graph

Transactions up to a certain € value, dependent on the payment provider’s overall fraud levels (see table), up to €500, are exempt from SCA.  For transactions below €30, no SCA is required. However SCA will be required if five or more exempt transactions have been performed on the same card or payment method in a 24-hour period, or if these exempted transactions total more than €100.

This means that SCA should be applied each time a payer directly initiates a non-low value electronic payment transaction unless the bank/PSP has a very low fraud rate.

If PSPs are able to determine that a transaction is Low Risk by using Transaction Risk Analysis (TRA), and their aggregate fraud rate is low, they may request an exemption from SCA, enabling frictionless payments, such as a one-click payment. 

In order to use the TRA exemption to not apply SCA, the PSP must have sophisticated fraud monitoring tools that enable it to monitor fraud rates and transaction characteristics across its entire portfolio, on a real-time basis.

How TAS Group can help

TAS Group offers PSD2-compliant solutions to help PSPs manage both SCA and SCA exemptions.

to learn how we can support you with your SCA implementation.

3D Secure 2.0

TAS 3D Secure 2.0, the cardholder authentication solution for safer, faster, frictionless payments, implements the latest EMVCo protocol offering a state-of-the-art ACS solution. This protocol makes use of a wealth of transactional and customer data taking into account up to 100 data items such as amount, device, IP address, MCC, delivery details, and account age, making it possible to make better authentication decisions.

By evaluating this additional information, issuers can calculate the level of risk associated with a transaction and decide whether to trigger further challenges, such as biometric, OTP or other types of authentication request. 3-D Secure 2.0 fully complies with PSD2 on Strong Customer Authentication (SCA) and allows SCA Exemption via an optional Intelligent Fraud module. By applying 3-D Secure based on calculated risk, issuers and acquirers can reduce fraud, deliver a better online payment experience and increase conversions.

Download the overview

Transaction Risk Management with Fraud Protect

Harnessing the power of machine learning and advanced predictive models, the TAS Transaction Risk Management module (part of the TAS Fraud Management suite), performs risk-scoring, taking advantage of information that is available at or before authentication and during authorization. The use of device information, geo or IP location, behavioural biometrics, and scoring using Artificial Intelligence provide a wealth of opportunities to determine the risk associated with a transaction.  

Fraud Protect interacts with the Customer environment in real time, be it a PSP, TPP or Merchant, and uses advanced predictive engines to support Transaction Risk Analysis (TRA). In line with PSD2 and with the technical standards issued by EBA for strong customer authentication (SCA) and open common and secure communication standards, Fraud Protect also offers functions to maximize the application of the SCA Exemption. 

Download the overview