Strong Customer Authentication (SCA)

As part of our ongoing efforts to increase data security in the system, and in order to comply with the EU Revised Payment Services Directive (PSD2), Atriis is implementing Strong Customer Authentication (SCA) for all our distributors. This article will gather all relevant information and will be updated rapidly as more questions come from our clients or if more requirements will be presented in the future.

What is the PSD2?

The EU Payment Services Directive (PSD) regulates payment services across the EU and EEA. PSD2 is the latest revision of the directive and is aimed to better protect consumers when they pay online. The new revision promotes the development and use of innovative online and mobile payments to make cross-border European payment services safer. One of the requirements posed by the PSD2 is the use of Strong Customer Authentication (SCA) to further enhance security on online payments.

What is SCA?

The Strong customer authentication (SCA) requirement applies on payment service providers with the EEA. It ensures the use of multi-factor authentication on electronic payments to increase their security. Similar to the 2-Factor Authentication, the SCA adds an extra layer of verification to make sure that person trying to complete the payment are who they say they are, and that they are the legal owner of the card used for the payment. Upon checking out, if payment is done with a qualifying card, the user will be requested to perform a verification process in which their card company will send them a code to their mobile or E-mail address. Only by providing the correct code the transaction will be completed. Many vendors already integrated the SCA into their payment process and the requirement will become mandatory on 31-DEC-2020 in all EEA. For UK the requirement will become mandatory on 30-SEP-2021. 

How does it work in Atriis?

1. When user checks out Atriis will attempt to complete the payment with the various vendors in the cart. If SCA will not be required by any vendor, the transaction will be completed as usual.
2. In case one of the vendors will require the SCA in order to complete the transaction, a notification will appear next to the relevant quote:
3.  Clicking on the link will open the verification process window. Atriis will contact the bank and will display the verification process that the bank requests:
   
4. The design of the window will vary from bank to bank and can be different for each card company. The user will receive a code to their E-mail or mobile phone, depends on each card company/bank, and will need to insert this code in the designated box:
5. Once the verification is completed, user can complete the transaction by clicking on the button:
6. Only if the verification was successful the transaction will be completed.

Which transactions qualify for SCA?

In principal, only transactions involving personal cards are required to undergo through SCA. Virtual cards or cards that registered under the name of an organization should be exempted from this requirement. However, each supplier is responsible to manage their payments and may require or not the SCA in order to complete the transaction according. Atriis is facilitating the platform to complete the verification but is not responsible for the times when it is required or not.

Does it apply for all suppliers?

Atriis will continuously implement the SCA for all suppliers that are using personal credit cards as FOP, until the end of December 2020. It might happen that the functionality is already implemented for a supplier but the SCA process is yet in place on the supplier side. On such cases, the SCA will become available as soon as the supplier will implement it.