Understanding Strong Customer Authentication (SCA) for UK Merchants

2 minute read
Written by Lee Hart
TABLE OF CONTENTS

In the evolving landscape of online payments, UK merchants are facing new requirements designed to enhance security. Strong Customer Authentication (SCA) is a set of rules that changes how customers confirm their identity when making online purchases. These new requirements, part of the second Payment Services Directive (PSD2), add extra security layers to electronic payments by requiring customers to provide additional identification beyond just their card details.

The implementation of SCA means customers must now verify their identity using at least two of three possible factors: something they know (like a password), something they own (like a mobile phone), or something they are (like a fingerprint). For UK merchants, understanding these requirements isn't just about compliance—it's about creating smooth payment experiences while maintaining security standards.

Key Takeaways

  • SCA requires customers to provide two independent authentication factors from possession, inherence, or knowledge categories for increased payment security.
  • UK merchants must implement compliant authentication systems to avoid transaction declines whilst maintaining a smooth customer experience.
  • Certain transactions may qualify for exemptions based on risk levels, transaction value, or payment type, helping balance security with convenience.

What Is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is a security protocol that changes how customers verify their identity when making online purchases and accessing payment accounts. This regulatory requirement uses multiple verification factors to reduce fraud and enhance payment security.

Background and Regulatory Context

SCA emerged as part of the Second Payment Services Directive (PSD2), a European regulation designed to make electronic payments safer. Even after Brexit, the UK has maintained these standards through Financial Conduct Authority (FCA) implementation.

The FCA introduced these rules specifically to combat rising online payment fraud. The regulation became mandatory for UK businesses on 14 March 2022, following several implementation extensions to give merchants adequate preparation time.

SCA applies to most electronic payments and account access situations where fraud risk exists. This includes online card payments above €30 (about £26), recurring payments, and situations where customers access their payment accounts online.

Core Requirements of SCA

SCA requires authentication using at least two independent factors from these three categories:

  • Knowledge: Something only the user knows (password, PIN, security question)
  • Possession: Something only the user has (mobile phone, hardware token)
  • Inherence: Something the user is (fingerprint, facial recognition, voice pattern)

These elements must be independent, meaning if one is compromised, the security of the others remains intact. For instance, receiving an SMS code on the same device used for the transaction creates potential vulnerabilities.

UK Finance confirms that transactions must be dynamically linked to a specific amount and payee, creating unique authentication codes for each transaction.

How SCA Works in Practice

When a customer makes an online purchase, the SCA process typically follows these steps:

  1. The customer enters card details at checkout
  2. The payment processor determines if SCA is needed
  3. If required, the customer is redirected to their bank for authentication
  4. The customer provides two verification factors
  5. Upon successful verification, the customer returns to the merchant site

Many banks implement SCA through mobile banking apps. Customers receive push notifications and verify their identity through the app using a combination of PINs, biometrics, or security questions.

Certain transactions qualify for SCA exemptions, including low-value transactions (under €30), recurring payments of the same amount, and transactions deemed low-risk through Transaction Risk Analysis (TRA).

SCA and UK Payments Regulation

Strong Customer Authentication falls under strict regulatory frameworks in the UK financial sector. These regulations aim to enhance payment security and reduce fraud while setting clear implementation deadlines for businesses.

PSD2 Compliance and SCA Mandate

The Strong Customer Authentication requirements emerged from the Second Payment Services Directive (PSD2), an EU regulation that continues to apply in the UK post-Brexit. PSD2 introduced comprehensive changes to payment services across Europe with SCA as a key security component.

Under these regulations, payment service providers must verify customer identity using at least two of three possible authentication factors:

  • Knowledge: Something only the user knows (password, PIN)
  • Possession: Something only the user possesses (mobile phone, card reader)
  • Inherence: Something the user is (fingerprint, facial recognition)

This approach significantly reduces the risk of unauthorised transactions and online fraud. UK merchants must ensure their payment systems support these authentication methods to remain compliant with regulations.

Enforcement Timelines in the UK

The UK's SCA implementation followed a phased approach. While initially planned for September 2019, the Financial Conduct Authority granted extensions to allow businesses adequate preparation time.

E-commerce transactions became subject to full enforcement on 14 March 2022, marking the final deadline after several extensions. This gradual rollout reflected the complexity of implementing SCA across diverse payment ecosystems.

Key milestones included:

  • Initial deadline: September 2019
  • First extension: March 2021
  • Final implementation: March 2022

Businesses that failed to comply by these deadlines risked penalties and payment declines, potentially losing revenue and customer trust.

Role of the Financial Conduct Authority

The Financial Conduct Authority (FCA) serves as the primary regulator overseeing SCA implementation in the UK. The FCA established guidelines, monitored compliance and determined enforcement timelines.

The FCA worked closely with payment service providers and merchants to ensure a smooth transition to the new authentication requirements. They published detailed guidance documents explaining technical standards and compliance expectations.

The regulator takes a risk-based approach to supervision, focusing on entities handling large transaction volumes or displaying security vulnerabilities. Non-compliance can result in formal investigations, financial penalties and reputational damage.

The FCA also responds to industry feedback, addressing practical implementation challenges whilst maintaining the security objectives that SCA regulations were designed to achieve.

Practical Implications for UK Merchants

Strong Customer Authentication requirements affect every aspect of how UK merchants process payments. The changes demand careful implementation to maintain smooth customer experiences while complying with regulatory standards.

Impact on Online Transactions

For online merchants, SCA has significantly changed payment flows. Customers now must verify their identity using at least two of three authentication factors: something they know (password), something they have (mobile device), or something they are (fingerprint).

This means e-commerce businesses must ensure their checkout processes support 3D Secure 2 (3DS2) or equivalent protocols. The enhanced authentication adds steps to the purchase journey, potentially affecting conversion rates.

Key considerations for online merchants:

  • Implement exemption strategies for low-risk or low-value transactions (under £30)
  • Ensure payment systems capture and transmit transaction risk analysis data
  • Optimise mobile checkout flows to handle biometric authentication seamlessly
  • Consider implementing 3DS or similar solutions to comply with requirements

The goal is balancing security with user experience to prevent basket abandonment.

Physical Point-of-Sale and Card Present Scenarios

For brick-and-mortar retailers, SCA implementation has been less disruptive but still requires attention. Chip and PIN transactions already satisfy SCA requirements as they use two factors: the card (something you have) and the PIN (something you know).

Contactless payments remain convenient but face limits. After cumulative contactless transactions reach £300, or after five consecutive contactless payments, customers must perform a full Chip and PIN transaction to reset the counter.

Important POS considerations:

  • Staff training on handling SCA challenges
  • POS terminal updates to support latest authentication methods
  • Customer communication about PIN requirements after contactless usage limits
  • Ensuring sufficient checkout capacity to handle potentially longer transaction times

These measures help physical retailers maintain compliance without significant customer friction.

Selecting SCA-Compliant Payment Solutions

Choosing the right payment partners is crucial for smooth SCA implementation. Payment service providers must support SCA requirements while minimising impact on conversion rates.

When evaluating payment solutions, prioritise providers offering:

  1. Smart Authentication: Solutions that only trigger SCA when necessary
  2. Exemption Handling: Ability to apply and track transaction exemptions
  3. Optimised Flows: Streamlined authentication processes across devices
  4. Analytics: Tools to monitor authentication success rates and abandonment

Many payment providers now offer "authentication optimisation" services that route transactions through the path of least resistance while maintaining compliance.

Consider integration complexity and customer impact when selecting solutions. The right provider should offer documentation, testing environments, and support throughout implementation.

Customer Authentication Methods

SCA requires payments to be verified using at least two independent authentication elements. These elements fall into three distinct categories, with each providing a different layer of security to protect transactions.

Knowledge-Based Factors

Knowledge factors rely on information only the customer should know. The most common examples include:

  • Passwords and passphrases
  • Personal Identification Numbers (PINs)
  • Specific security questions
  • Secret codes sent via SMS

These methods verify identity by confirming the customer possesses private knowledge. For maximum security, customers should create unique, complex passwords for each service they use.

Many banks now require specific characters from memorised information rather than complete passwords to reduce vulnerability to keyloggers. Knowledge factors, while convenient, are considered the weakest form of authentication when used alone, as they can be compromised through phishing attacks.

Possession-Based Factors

Possession factors verify that customers have physical ownership of a specific device or item. Common examples include:

  • Mobile phones (for receiving SMS codes)
  • Hardware tokens that generate one-time passwords
  • Payment cards with chips
  • Smart devices with authentication apps

These methods provide stronger security than knowledge factors alone. When a customer makes a purchase, they might need to verify their identity by entering a code sent to their mobile device.

Many banks now use dedicated authentication apps that generate time-sensitive codes. This approach offers better security than SMS, which can be intercepted by fraudsters.

Inherence-Based Factors

Inherence factors relate to physical characteristics or behaviours unique to the customer. These biometric methods include:

  • Fingerprint scanning
  • Facial recognition
  • Voice recognition
  • Behavioural biometrics (typing patterns, device handling)
  • Iris or retina scanning

Modern smartphones have made biometric authentication widely accessible. Many banking and payment apps now support fingerprint or facial recognition through the device's built-in sensors.

Inherence factors are generally considered the most secure authentication method because they're difficult to replicate. However, merchants must ensure their SCA solutions comply with data protection regulations when collecting and processing biometric data.

Exemptions and Out-of-Scope Transactions

Not all transactions require Strong Customer Authentication under PSD2 regulations. Understanding which transactions are exempt or out of scope can help merchants optimise their payment processes while remaining compliant with regulations.

Low-Value Transaction Exemptions

Strong Customer Authentication requirements don't apply to all online payments. Transactions below €30 (approximately £26) are typically eligible for the low-value exemption.

However, this exemption has important limitations. If a customer initiates more than five consecutive low-value payments, or if their cumulative spending exceeds €100 (about £87) without authentication, SCA will be triggered automatically.

The decision to apply this exemption rests with the customer's bank, not the merchant. Banks assess risk factors for each transaction to determine whether to grant the exemption.

Merchants should note that while they can request this exemption through their payment provider, the final decision belongs to the issuing bank, which may still require SCA if they detect suspicious activity.

Recurring and Merchant-Initiated Transactions

Certain recurring payments enjoy exemption from SCA requirements. After the initial setup with SCA, subsequent charges using the same amount to the same merchant can proceed without additional authentication.

Merchant-initiated transactions (MITs), such as subscription renewals or delayed charges, are considered entirely out of scope rather than exempt. These transactions require:

  • A formal agreement between customer and merchant
  • Authentication during the initial agreement setup
  • The same payment amount for each transaction (in most cases)

For variable recurring payments, like utility bills, merchants must clearly communicate that amounts may change. In these cases, the transaction remains out of scope provided the initial mandate was properly authenticated.

Trusted Beneficiaries

Customers can add merchants to their "trusted beneficiaries" or "whitelist" with their bank. Once added, future payments to these trusted merchants can proceed without SCA.

The process works as follows:

  1. During checkout, customers authenticate using SCA
  2. They choose to add the merchant to their trusted list
  3. Future purchases from the same merchant may not require SCA

This exemption benefits merchants with loyal customer bases who make repeat purchases. However, merchants can't directly control this process, as it's managed between the customer and their bank.

The exemption isn't automatic—banks assess risk factors before granting it. Some banks may not offer this feature yet, as it requires sophisticated fraud monitoring capabilities to implement safely.

3D Secure and Technological Solutions

Meeting Strong Customer Authentication requirements hinges on implementing effective technological solutions. 3D Secure protocols serve as the backbone of SCA compliance, with various implementations available to merchants across the UK.

3D Secure 2.0 Overview

3D Secure 2.0 (3DS2) represents a significant upgrade from its predecessor, designed specifically to support SCA requirements. This protocol enables a secure exchange of data between merchants, card issuers, and acquiring banks.

Unlike the original version, 3DS2 conducts risk assessment in the background by analysing over 100 data points. This allows for frictionless authentication when transactions are deemed low-risk, eliminating unnecessary verification steps.

The protocol supports multiple authentication methods, including:

  • Biometric verification (fingerprints, facial recognition)
  • One-time passwords via SMS
  • Banking app notifications
  • Knowledge-based responses

3DS2 is designed to work seamlessly across devices, providing a much-improved mobile experience compared to its predecessor. This mobile optimisation is crucial as smartphone transactions continue to increase.

Benefits and Challenges of 3DS Implementation

Key Benefits:

  • Reduced fraud: 3DS significantly decreases unauthorised transaction rates
  • Liability shift: With proper implementation, fraud liability shifts from merchant to issuer
  • Higher approval rates: Improved risk assessment leads to fewer false declines
  • Regulatory compliance: Meets PSD2 requirements for strong authentication

However, merchants face several implementation challenges. Integration complexity varies based on payment infrastructure, and poor execution can lead to increased cart abandonment.

Some businesses report initial conversion drops of 5-15% after implementation. This impact can be mitigated through careful testing and optimisation.

Costs also represent a consideration, with expenses varying based on transaction volume and provider. Smaller merchants may find bundled solutions from payment service providers more cost-effective.

Alternative Authentication Technologies

While 3DS2 dominates the market, merchants have access to several alternative authentication technologies that also satisfy SCA requirements.

Token-based solutions store encrypted payment credentials, eliminating the need for customers to re-enter card details. Services like Apple Pay and Google Pay fall into this category, using device-level authentication for verification.

Biometric authentication continues to gain traction, with fingerprint and facial recognition becoming increasingly common. These methods offer an excellent balance of security and convenience.

Risk-based authentication uses AI and machine learning to assess transaction risk in real-time. This approach allows for dynamic application of SCA, applying stronger checks only when necessary.

Many merchants opt for a layered approach, combining multiple technologies to maximise both security and customer experience.

Operational Impacts and Best Practices

Implementing Strong Customer Authentication requires significant operational changes for merchants to maintain smooth payment flows while meeting regulatory requirements. These changes affect checkout processes, technical infrastructure and customer communication strategies.

Preparing for SCA Enforcement

UK merchants must make several technical and operational adjustments to comply with SCA requirements. The first step is ensuring payment systems support 3D Secure 2 (3DS2), which provides a more seamless authentication experience than earlier versions.

Integration with payment service providers (PSPs) that offer SCA-compliant solutions is essential. Merchants should verify that their PSP supports all relevant exemptions to minimise friction where possible.

Staff training is equally important. Customer service teams need to understand SCA requirements to explain authentication steps to confused customers. Technical teams must be prepared to troubleshoot authentication issues quickly.

Documentation of SCA processes is necessary for both operational efficiency and potential regulatory inquiries. This includes maintaining records of when exemptions are applied and the justification for each.

Optimising the Checkout Experience

Despite added security steps, merchants can minimise checkout friction through careful design. Implementing biometric authentication options (fingerprint or facial recognition) creates a faster, more user-friendly experience than one-time passwords.

Clear communication is vital. Brief explanations about why authentication is required helps reduce cart abandonment. Simple prompts like "This extra security step protects your payment" can increase customer confidence.

Mobile optimisation deserves special attention. Most authentication now happens on mobile devices, so ensuring screens are responsive and buttons are easily tappable significantly improves completion rates.

Consider these checkout optimisation strategies:

  • Pre-warn customers about authentication steps
  • Display progress indicators during authentication
  • Offer alternative payment methods that handle SCA seamlessly
  • Test checkout flows regularly across different devices

Monitoring Fraud and Decline Rates

SCA implementation directly affects transaction success rates and fraud patterns. Merchants should closely track authentication failure rates, abandonment during authentication, and overall conversion impact.

Setting up dashboards to monitor these metrics helps identify problems quickly. Unexpected spikes in decline rates might indicate technical issues with the authentication process rather than legitimate fraud prevention.

Fraud monitoring systems may need recalibration after SCA implementation. While SCA reduces fraud overall, fraudsters typically shift tactics to target exemptions or out-of-scope transactions.

Regular reviews of transactions qualifying for exemptions helps ensure the right balance between security and convenience. Merchants with low fraud rates can work with their payment providers to qualify for more exemptions, reducing authentication friction for customers.

Common Challenges for UK Merchants

Implementing Strong Customer Authentication presents several significant hurdles for UK merchants that can affect both customer experience and technical operations. These challenges require careful planning and strategic approaches to maintain smooth payment processes.

Customer Drop-Off and Conversion Rates

The introduction of additional authentication steps has created friction in the checkout process, potentially increasing cart abandonment. Studies show that longer checkout processes can reduce conversion rates by 15-30%.

Customers unfamiliar with two-factor authentication (2FA) may become confused or frustrated when suddenly required to provide additional verification. This is particularly problematic for impulse purchases or when customers are shopping via mobile devices.

Some key impacts include:

  • Increased checkout time: Adding 15-30 seconds to the payment process
  • Higher abandonment rates: Especially among first-time customers
  • Customer confusion: When redirected to banking apps or SMS verification

To mitigate these issues, merchants should clearly explain authentication requirements before checkout and optimise mobile experiences for simpler verification.

Dealing with Technical Integrations

The technical implementation of SCA compliance often requires significant updates to payment systems and workflows. Many UK merchants struggle with integrating 3D Secure 2 (3DS2) protocols into existing checkout processes.

Payment service providers offer varying levels of support, creating inconsistencies in implementation approaches. Smaller merchants with limited technical resources face particular challenges when adapting their systems.

Merchants must also manage exemption requests appropriately to balance security requirements with customer experience. Regular testing and monitoring of authentication flows helps identify potential points of failure before they affect customers.

Future Outlook for SCA in the UK

The UK's approach to Strong Customer Authentication (SCA) continues to evolve as digital payments grow. Since its implementation, SCA has changed how consumers confirm their identity when making online purchases, with more developments expected.

Financial institutions anticipate SCA requirements will tighten further by 2026. This includes more sophisticated biometric authentication methods and improved fraud detection algorithms to balance security with user experience.

The Financial Conduct Authority (FCA) has already updated guidance for authentication requirements. Their March 2022 update specifically addressed the 90-day Strong Customer Authentication requirements, signalling ongoing regulatory attention.

Key trends to watch:

  • Integration of AI for more accurate risk assessment
  • Expansion of biometric authentication options
  • Reduction in exemption thresholds
  • Enhanced mobile authentication methods
  • Cross-border payment standardisation

UK merchants should prepare for stricter compliance measures. The original transition to full compliance by March 2021 saw over 95% of transactions requiring step-up authentication, and this trend will likely continue.

Collaboration between payment providers, merchants and regulators will be crucial. The FCA expects all Third Party Providers to be technically ready to implement new requirements swiftly as they emerge.

Consumer education will remain vital as authentication methods become more sophisticated. Merchants who invest in clear customer communication about SCA will likely see higher transaction completion rates.

Frequently Asked Questions

Strong Customer Authentication brings significant changes to payment processing in the UK. These questions address the key implementation requirements, compliance approaches, and exemptions that merchants need to understand.

How does Strong Customer Authentication (SCA) impact UK merchants and their sales processes?

SCA directly affects how UK merchants process online payments. Merchants must now incorporate additional authentication steps during checkout, which may create more friction in the payment journey.

Customer transactions now require verification through at least two authentication factors, which can increase checkout time. This might impact conversion rates initially as customers adjust to the new requirements.

However, SCA also helps reduce fraud and make online payments more secure, potentially decreasing chargebacks and disputed transactions for merchants in the long term.

What are the required elements that constitute Strong Customer Authentication under UK regulations?

SCA requires authentication based on at least two independent elements from three distinct categories. These categories include something the customer knows (like a password or PIN), something they have (such as a mobile phone), and something they are (biometric data like fingerprints).

This two-factor authentication approach ensures higher security standards than single-factor methods. The elements must be independent so that compromising one doesn't compromise the other.

UK regulations specify that these authentication factors must be dynamically linked to the specific amount and payee of the transaction to prevent man-in-the-middle attacks.

What changes did the PSD2 directive introduce regarding Strong Customer Authentication for online transactions?

PSD2 made SCA a legal requirement for electronic payments in the UK. The directive mandated that payment service providers apply SCA when customers access payment accounts online, initiate electronic payments, or take actions through remote channels that risk fraud.

The directive also introduced the requirement for a dynamic link between the authentication and the specific transaction details. This prevents attackers from intercepting and altering transaction information.

PSD2 established a framework of exemptions to balance security with convenience, recognising that not all transactions present the same level of risk.

As a UK merchant, what are the best practices for implementing SCA to comply with regulations?

Merchants should partner with payment providers that offer SCA-compliant solutions. Many providers have developed systems that handle the authentication process seamlessly while maintaining a good customer experience.

Implementing 3D Secure 2.0 is highly recommended as it supports SCA requirements while offering a more user-friendly experience than earlier versions. This protocol allows for risk-based authentication, reducing unnecessary challenges.

Clear communication with customers about authentication requirements helps set expectations. Merchants should explain why additional verification steps are necessary and how they protect customer accounts.

How do the SCA requirements differ for card-present and card-not-present transactions in the UK?

For card-present transactions, chip and PIN already satisfies SCA requirements as it combines something the customer has (the card) with something they know (the PIN). Contactless payments have special provisions with transaction limits before SCA is required.

Card-not-present transactions, such as online purchases, face stricter SCA application. These transactions typically require implementation of 3D Secure or similar protocols to authenticate customers through multiple factors.

Mobile wallet payments may use device authentication (fingerprint or facial recognition) combined with possession of the device to satisfy SCA requirements, offering a streamlined customer experience.

Are there any exemptions to Strong Customer Authentication that UK merchants can utilise?

Several key exemptions exist for low-risk transactions. Payments below £30 may qualify for the low-value transaction exemption, though cumulative limits apply.

Merchants with demonstrably low fraud rates can apply for the transaction risk analysis exemption through their payment providers. This allows them to skip SCA for certain transactions based on real-time risk assessment.

Recurring transactions of the same amount to the same merchant are exempt after the first payment. Additionally, transactions to trusted beneficiaries previously designated by the customer may be exempted from SCA requirements.