Strong Customer Authentication (SCA): A New Requirement For E-Commerce
Starting September 14, 2019 a new e-commerce requirement in the EU called Strong Customer Authentication (SCA) will go into effect. This new requirement will change the way online payments are collected from European cardholders. Below you can find more details about SCA and how this will affect your app.
What is SCA?
Strong Customer Authentication (SCA) is a new e-commerce requirement affecting European cardholders. Starting September 14, 2019, online payments will require multi-factor authentication to verify the cardholder’s identity. All payments will also require capturing additional information such as Name, Email, and Billing Address.
Why am I reading this?
We’re changing the way we handle European payments with our Stripe integration. If you use Stripe in Knack to charge payments, this post will highlight any changes you may need to make in your Knack app to be compliant.
What do I need to do?
Both Stripe and PayPal will start handling SCA automatically starting on September 14, 2019, so you don’t need to make any changes in your builder.
When charging European cards in your Knack app, only the cardholder can submit the payment form. This means that you wouldn’t be able to accept credit card details over the phone and submit them on behalf of the customer since SCA could be required to complete the payment.
The same requirement is true for stored European payment methods. If you’re currently charging payments on behalf of the customer, you will need to update your app’s workflow so that the customer can complete the payment themselves instead.
SCA and PayPal
PayPal will handle the SCA requirement on their end should the cardholder’s banking institution require it. You do not need to make any additional changes if you are using the PayPal integration with your app.
SCA and Stripe
We are updating our Stripe integration to use 3D Secure 2 to complete the SCA requirement.
New Payment Form
The new payment form will be used for all payments going forward, regardless of SCA requirements. The new form contains additional fields for Name, Email, and Billing Address. If SCA is required to complete the payment, the customer will see one of three additional verification options.
Specific types of payments that qualify as “low-risk” may bypass SCA with exemptions. For example, payments below €30 may be exempted. Stripe will try to apply for an exemption when applicable, but the cardholder’s bank may deny the exemption at any time. If an exemption request is denied, SCA verification will be required to complete the payment.
You can read more about Stripe’s exemptions here.
Charging stored payment methods for the logged-in user
SCA may be required if charging a stored payment method. If SCA is prompted, the logged-in cardholder will need to complete additional verification.
Charging stored payment methods on behalf of the customer
When charging payments on behalf of the customer (off-session), the customer must be notified via e-mail if SCA is required and offer them a link to complete the payment verification.
Due to these additional requirements Knack will not support off-session payments for the foreseeable future. As of September 14, 2019 all payments will be flagged as on-session and assume the cardholder is present to complete SCA, if needed.
I’m a merchant in the US. Will this update affect me?
Yes. You will also need to capture Name, Email, and Billing Address for all payments going forward.
You may encounter an SCA requirement if you accept a payment from a European customer, so you may not be able to charge recurring payments on their behalf.
This is not legal advice since we’re not lawyers! Always consult with a lawyer to ensure your business is being compliant with any regulation.