Strong Customer Authentication FAQ
Strong Customer Authentication (SCA) is a requirement of PSD2, a European regulation that went into effect on 14th September 2019, to make customer-initiated online and in-app payments more secure in the European Economic Area (EEA).
What is SCA?
The SCA requirement aims to make electronic, online and mobile payments more secure, and does so by asking customers to provide additional information to authenticate and complete their transactions. This regulation helps to verify cardholders and reduce the chance of fraudulent transactions.
What is changing?
Currently, when paying online, customers need to enter their card number, expiry date, CVV and postcode to make a payment. With SCA enforcement in place, customers are required to complete two of the three factors of authentication when initiating a payment: something you know, something you own, something you are.
For online card payments, the SCA requirements are met by implementing 3D-Secure 2. For in-store contactless payments, SCA requirements are already met through chip and PIN requirements when certain cumulative limits are reached, or mobile wallets.
What is 3D-Secure 2?
3D-Secure 2 (3DS2) is a standardised mechanism for authenticating electronic card transactions. This is either done through a challenge flow where the customer is required to provide additional information to complete their transaction, or the frictionless flow where the customer can complete their checkout without any additional steps.
Challenge flows include (but are not limited to): a one-time passcode sent via SMS or email, a request for biometric information such as a fingerprint scan, or the customer being redirected to their card-issuing bank’s mobile app to approve a transaction.
Frictionless flows require no additional steps for the customer to authenticate the payment, and allow the payment to be completed without extra verification
Note: The customer’s card issuer, not Square, determines whether to apply a challenge flow or a frictionless flow to a transaction. If your customer is experiencing issues with a challenge flow, please ask them to contact their card issuer for support.
Do all online and mobile payments fall under SCA?
No - there are certain online and mobile transaction types that are out of scope for SCA. These include (but are not limited to): merchant-initiated transactions, telephone orders, transactions where either the customer’s card issuer and/or the merchant is outside the EEA/UK and recurring transactions.
How will SCA affect Square products and payments?
You can read more about how SCA requirements may affect your use of different payment products below:
Square Online, Square Online Checkout links and Square Invoices: Customers may experience challenge flows when paying via Square Online, Square Online Checkout links and Square Invoices. Square has already taken steps to ensure that these products and services are compliant with SCA. There is no action required from merchants who use these products, but we wanted to make you aware as your customers may be prompted to pass 3DS2.
Weebly: Square's Weebly platform is already SCA compliant. If you use this platform, there is nothing additional you need to do.
Square eCommerce APIs: Sellers, Developers and Partners that use Square’s developer products such as Square Payment Form and the Connect V2 APIs must ensure their applications are SCA-compliant. To be compliant with SCA guidelines, developers will need to update their Square integrations according to our developer documentation.
App Marketplace Integrations: If you use Square to accept payments through a third-party eCommerce integration (such as WooCommerce, OpenCart or GoDaddy), the app provider will manage SCA compliance on your behalf and no action is required from you.
Virtual Terminal: Payments accepted through Square’s Virtual Terminal are considered merchant-initiated transactions under SCA guidelines, and are exempt from additional authentication requirements and challenge flows. If you use Virtual Terminal for payments, no action is required from you to be compliant with SCA requirements.
My customers aren't seeing 3DS2. Has Square turned it on?
As a reminder, not all transactions will require a challenge flow - it is possible that a transaction was completed through the frictionless 3DS2 flow.