Strong Customer Authentication FAQ
Last updated on 23rd September 2021
Strong Customer Authentication (SCA) is a requirement of PSD2, a European regulation that went into effect on 14th September 2019, to make customer-initiated online and in-app payments more secure in the European Economic Area (EEA) and UK. In the UK, PSD2 and SCA will be enforceable from 14 March 2022.
What is SCA?
The SCA requirement aims to make electronic, online and mobile payments more secure, and does so by asking customers to provide additional information to authenticate and complete their transactions. This regulation helps to verify cardholders and reduce the chance of fraudulent transactions.
What is changing?
Currently, when paying online, customers need to enter their card number, expiry date, CVV and postcode to make a payment. When SCA enforcement begins, customers will be required to complete two of the three factors of authentication when initiating a payment: something you know, something you own, something you are.
For online card payments, the SCA requirements are met by implementing 3D-Secure 2. For in-store contactless payments, SCA requirements are already met through chip and PIN requirements when certain cumulative limits are reached, or mobile wallets.
What is 3D-Secure 2?
3D-Secure 2 (3DS2) is a standardised mechanism for authenticating electronic card transactions. This is either done through a challenge flow where the customer is required to provide additional information to complete their transaction, or the frictionless flow where the customer can complete their checkout without any additional steps.
Challenge flows include (but are not limited to): a one-time passcode sent via SMS or email, a request for biometric information such as a fingerprint scan, or the customer being redirected to their card-issuing bank’s mobile app to approve a transaction.
Frictionless flows require no additional steps for the customer to authenticate the payment, and allow the payment to be completed without extra verification
Note: The customer’s card issuer, not Square, determines whether to apply a challenge flow or a frictionless flow to a transaction. If your customer is experiencing issues with a challenge flow, please ask them to contact their card issuer for support.
Do all online and mobile payments fall under SCA?
No - there are certain online and mobile transaction types that are out of scope for SCA. These include (but are not limited to): merchant-initiated transactions, telephone orders, transactions where either the customer’s card issuer and/or the merchant is outside the EEA/UK and recurring transactions.
How will SCA affect Square products and payments?
You can read more about how SCA requirements may affect your use of different payment products below:
Square Online, Square Online Checkout links and Square Invoices: Customers may soon experience challenge flows when paying via Square Online, Square Online Checkout links and Square Invoices. Square has already taken steps to ensure that these products and services are compliant with SCA. There is no action required from merchants who use these products, but we wanted to make you aware of the changes as your customers may be prompted to pass 3DS2.
Weebly: Square's Weebly platform is already SCA compliant. If you use this platform, there is nothing additional you need to do.
Square eCommerce APIs: Sellers, Developers and Partners that use Square’s developer products such as Square Payment Form and the Connect V2 APIs must ensure their applications are SCA-compliant. To be compliant with SCA guidelines, developers will need to update their Square integrations according to our developer documentation.
App Marketplace Integrations: If you use Square to accept payments through a third-party eCommerce integration (such as WooCommerce, OpenCart or GoDaddy), the app provider will manage SCA compliance on your behalf and no action is required from you.
Virtual Terminal: Payments accepted through Square’s Virtual Terminal are considered merchant-initiated transactions under SCA guidelines, and are exempt from additional authentication requirements and challenge flows. If you use Virtual Terminal for payments, no action is required from you to be compliant with SCA requirements.
How does Brexit impact support for 3DS2 and SCA in the UK?
Brexit does not impact the overall application of SCA in the UK. The UK has independently voted to implement this regulation through its Payment Services Regulation.
While SCA came into effect on 14th September 2019, the UK’s Financial Conduct Authority (FCA) decided to take a phased approach to enforcing SCA obligations. The FCA initially proposed to start enforcement in March 2021, but then decided to extend enforcement of SCA until 14th September 2021, and have again extended the deadline to March 2022.
You can find more information on the Financial Conduct Authority’s implementation of SCA here.
My customers aren't seeing 3DS2 yet. Has Square turned it on?
Square has begun rolling out the SCA compliant flow with 3D-Secure 2 (3DS2) as of 1st January 2021. However, please also remember that the FCA has delayed enforcement of SCA, so card-issuing banks are not required to turn on the service immediately.
Throughout the extended deadline window (until March 2022), you may see the number of challenges gradually increase as more merchants and card issuers become SCA compliant.
In addition, not all transactions will require a challenge flow - it is possible that a transaction was completed through the frictionless 3DS2 flow.