SCA and the new guideline

Security is one of the most important things when it comes to payments. Both as a consumer and as a business owner. When the payment cards were introduced, one could settle for a 4-digit PIN code and that was it. Unfortunately, that’s not going to fly today. That is why, as of January 1st 2021, new guidelines have been introduced throughout the EU to protect us all from fraud. These rules are colloquially called SCA. These new guidelines came into play on January 11th 2021.

SCA and you as a business owner

In this blog post, you can read more about what the new security requirements mean to you as a business owner. As in many technical industries, there are quite a few abbreviations that can make understanding a challenge, but I will try to keep it as simple as possible.

SCA stands for Strong Customer Authentication, or strong customer verification as you may know it. Or maybe you know it as two-factor approval. However, the new SCA rules have been extended from just a PIN code to include more security.

According to the new guidelines, the new SCAs must contain three things:

  • something you have (for example your NemID)
  • something you know (for example your personal PIN code)
  • something you are (for example, your fingerprint or face)

When a customer buys something from your shop, they will therefore be asked to authorize their purchase by, for example, a PIN code, which is sent via SMS or through face recognition. Not every time though, but I will get back to that.

Who's responsible for what?

The card issuer is responsible for ensuring that there is SCA on all electronic transactions going forward. This means that it is the card issuer, from which the customer has his card, who must ensure that SCA is used in the transactions where it is required.

It is the acquirer’s job to ensure that there is 3D secure available to all webshops and it is the webshop owner’s task to ensure that it is turned on. Today, there are two versions of 3D Secure – version 1 and version 2. To meet the requirements, it must be version 2 that is activated. At Yourpay, we have activated version 2.

There are several different protocols, which are developed by the different card types and which all go under the name 3D Secure. For example, Mastercard has SecureCode, Visa has VerifiedByVisa and AmericanExpress has SafeKey. The way they protect themselves from fraud varies slightly, but the end result is always the same. To ensure that both you and your customers make a safe trade.

At Yourpay, we have always run 3D Secure with both SecureCode and VerfiedByVisa, for transactions that resulted in our Fraud Detection AI robot. Whether it was turned on or not. It has also meant that we have always had a fraud rate of less than 1%.

You can read more about that here.

The idea was actually that these new rules should have been applied on September 19th 2019, but at that point there were several key players in the industry who announced that they were not ready, and the deadline was therefore postponed. But from January 1st 2021, the EU made it mandatory to have security on all transactions

Which transactions does this apply to?

SCA and the new guidelines are imposed on all electronic payments, where it is the customer who takes the initiative for the payment. This applies to card payments, account transfers and wallet payments – such as MobilePay and GooglePay.

But of course, there are always exceptions:

  • Subscription payments or recurring payments – If you have a subscription business, it is only the first time your customer pays that the protocol will be activated. All your existing agreements will not be affected by SCA.
  • Foreign card issuers or card acquirers – If one of these is not based in Europe, these will also not be covered by EU SCA guidelines.
  • Small amounts – If the amounts are less than 30 euros, the protocol will not be activated. Here, however, the rule is that if the collective total of the small amounts exceeds 100 euros, it will be activated anyway. If there are many small amounts, the protocol will also be activated with every 5th purchase, even if they do not exceed the 100 euros in total.
  • Raised amount limits – card issuers can also, in some cases, assess that your customer has a low risk of fraud, and can therefore raise the limit for the amount.

But can one then be sure that these exceptions work? No, you cannot. Some card issuers may also choose to turn off the exceptions, and then your customers will have to approve their transactions no matter what.

What should you do?

If you are a customer at Yourpay, you don’t have to do anything. We always comply with SCA and the new guidelines and preferably more. Your payment security in your business has to be the best and we’re dependent on satisfied customers, so we don’t compromise.

If you still receive inquiries from customers who think that you are making life difficult for them, you can always refer to this blog post or to our support center, where we have several good articles on 3D Secure.