Strong Customer Authentication (SCA) is the European regulatory requirement that is part of the Second Payment Services Directive (PDS2). The key objectives of SCA are to reduce fraud and make online payments more secure by introducing two-factor authentication on electronic payments. This guide provides an overview of SCA and aims to answer some frequently asked questions about the feature.
- Recharge Checkout on Shopify
- Recharge Checkout on BigCommerce
Overview of SCA
Strong Customer Authentication (SCA) is the European Economic Area (EEA) regulatory directive that requires multi-factor authentication for online transactions to reduce fraud. For a transaction to be approved, customers must be authenticated with at least two of the following three elements:
- Knowledge – Something the customer knows (i.e. password)
- Possession – Something the customer has (i.e. phone)
- Inherence – Something the customer is (i.e. fingerprint)
Who is impacted by SCA
SCA is required on card transactions where both the merchant’s bank (“acquiring bank”) and the bank issuing the customer’s card are located within the European Economic Area (EEA).
The countries located within the EEA are as follows: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
SCA and your payment processor
Recharge has made both checkout and recurring orders compliant with minimal to no amount of work required for the merchant. Depending on your payment processor, there may be additional action you need to take to ensure store compliance.
- Stripe – At this time, no action is required by merchants using Stripe to be SCA compliant with Recharge.
- Braintree – At this time, it is recommended that you email Braintree to determine if SCA impacts you. If impacted, send an email to Braintree requesting they enable 3D Secure 2 on your Braintree account. 3D Secure 2 is required to be SCA compliant.
- Authorize.net – Contact your Authorize.net representative for further details. In many cases, Recharge has already been in touch with merchants located in the EEA and using Authorize.net about next steps.
SCA and Recharge Payments
Recharge has configured the checkout to handle SCA requirements.
In the event SCA verification is required for a checkout transaction, a modal will populate and ask the customer to authenticate the payment. After the customer authenticates the transaction, the charge will be processed.
Recharge has configured recurring charges to handle SCA requirements.
It is expected that recurring charges will not require SCA verification because the transactions are identified as “merchant-initiated.” Merchant-initiated transactions fall outside the scope of SCA and do not require authentication.
In the event SCA verification is required for a recurring charge, an email notification is sent to the customer with a link to re-authenticate the payment. The customer can click the link, re-authenticate the payment, and their recurring charge will be processed.
Recharge has configured the customer portal to handle SCA requirements.
In the event SCA verification is required when a customer is updating their card, a modal will populate and ask the customer to authenticate their card. After the customer authenticates their card, it is saved for future recurring charges.
If your merchant account (or bank account) is located in the EEA and you sell to customers in the EEA and you use the Recharge Checkout API or the Recharge Customer API to create customers with payment gateway tokens, you’ll need to implement SCA-compliant workflows in your application. Please consult your payment processor for the relevant documentation and whether it is required.
Do I need to take action?
You may also choose to update the Payment re-authentication notification to match your store's style and branding.
In the event that you are using the Recharge Checkout API to process checkouts or the Recharge Customer API to create customers with payment gateway tokens, you may need to work with your payment processor to ensure that your workflows are SCA compliant.
When did SCA go into effect?
Enforcement of SCA began on September 14, 2019, with a final deadline of December 31, 2020.
Most national regulators in the EEA made public announcements to extend the timeline of enforcement beyond September 14, 2019, to allow more time for the banks and payment industry to become compliant.
Can I edit the modal window that appears when a card needs to be authenticated?
No, the modal is controlled by the bank and, for security purposes, cannot be modified.
Can I edit the notification that is sent out to customers who need to re-authenticate?
Yes. This notification can be edited by clicking Settings, selecting Notifications, and editing the Payment re-authentication notification.
Didn’t find what you’re looking for?Contact us