<img alt="" src="https://secure.perk0mean.com/172683.png" style="display:none;">
arowExplore our blog library

Welcome to Cashflows Payments School, starting with Strong Customer Authentication for beginners.


Let’s face it, the payments industry loves an acronym and we sometimes band around jargon as though everyone understands. At Cashflows we like to make things simple so, if you’re new to payments or maybe you just prefer plain English, you’ll value our back-to-basics guide to Strong Customer Authentication (SCA).

What is SCA?

First things first. There’s something called the second Payment Services Directive (PSD2), which sets the standards for electronic payments and helps to keeps business and their customers safe from fraud and cybercrime.

PSD2 requires any business that sells online to make sure their customers are who they say they are – this is called authentication. And if the payment is passed through one of the certified card scheme solutions, this becomes Strong Customer Authentication, or SCA.

Authentication is provided through an industry standard application called 3D Secure (3DS) and each card scheme has its own flavour of this - like Verified by Visa or Mastercard SecureCode. 3DS ensures that customer transactions go through two-factor authentication – which means asking customers to provide two of the following;

  1. Something the cardholder is (a biometric factor such as a fingerprint)
  2. Something the cardholder has (a mobile phone, an app, an email address)
  3. Something the cardholder knows (a PIN number, mother’s maiden name)

SCA became the law for businesses selling online within the European Economic Area (EEA) in December 2020. Recognising that small businesses are already facing economic challenges since COVID-19, the UK government delayed the deadline for SCA implementation in the UK from September 2021 to March 2022. From this date, all online transactions have to be authenticated through 3DS.

What does that mean for my business?

Once SCA is introduced, businesses must apply two-factor authentication to online transactions (with some exemptions allowed). Not having the right solution in place means more transactions could fail at the authentication stage, which means lost sales.

In the four months following SCA’s introduction to the EEA, failed transaction rates rose to 31% from lower than 5%*, so it’s a real risk that we want to avoid happening in the UK. That’s why it’s important that businesses are ready.

So what can I do?

As a consumer, you’ve probably been presented with a 3DS challenge online, where you were asked to input a PIN or password on a separate browser page or pop-up. In a world where experience is everything, this kind of interruption doesn’t sit well with customers and can lead to abandoned transactions.

That’s why the best approach is to implement the very latest version of 3DS, called 3DSecure Version 2.2 (3DS2.2). This release allows customers to establish their identity through biometrics like a fingerprint, or to check-in through an app they already use, making the transaction flow far more seamless. Some payments providers, like Cashflows, also offer exemptions to SCA for low value transactions, which means smaller purchases don’t need two-factor authentication at all.

If you’re a business that sells online, there’s plenty of support available and our team is always on hand. Don’t let regulation confusion stress you out – get in touch and we’ll do our best to break things down, keep things simple and help you find the right solution.


*20210430 Retail Joint Letter on measuring the impact of SCA April 2021 - EBA