Does your website comply with the new SCA regulations?

On the 14th September, the European Union has directed that all credit cards being used online must go through a new portal called SCA or Strong Customer Authentication. This will be enforced across Europe as part of the Second Payment Services Directive (PDS2).

This will apply to all “customer-initiated” transactions. This will affect online payments only. Contactless payments are exempt from these new guidelines. 

This means that people buying through your website will now have to be asked ‘something they know’ a question, ‘something they have’ this could be a security code and lastly ‘something the customer is’ this is most likely a biometric test such as a face scan on an iPhone before any order will be processed and accepted. 

It is possible that your website and online payment system will require updates to comply with the new SCA regulation, this is to ensure that business is not lost due to a non-functioning SCA system. Transactions that are made after the 14th of September may be rejected if they do not comply with this regulation. This will be vital for all e-commerce websites if they do not make changes and updates to their online payment systems. 

What kind of transactions are affected by SCA?

SCA will come into force on the 14 September 2019 and will affect any applicable transaction for businesses whose payment service provider is located within the European Economic Area (EEA) and whose customer’s bank or card provider is also located within the EEA.

Recurring direct debits, on the other hand, are considered “merchant-initiated” and will not require strong authentication.

Card details that are collected over the phone also fall outside the scope of SCA and do not require authentication. This type of payment can be referred to as “Mail Order and Telephone Orders” (MOTO). MOTO transactions will need to be flagged with the cardholder’s bank who then will make the final decision to accept or reject the transaction.

Banks will need to start declining payments that require SCA and don’t meet these criteria. Although we anticipate a gradual enforcement of SCA, we expect the first banks to start declining payments without two-factor authentication on 14 September.

If you need help checking if your website complies with the new Strong Customer Authentication guidelines then please get in touch today on or give us a call on 01932 301300.