Strong Customer Authentication (SCA) – eCommerce Guidance
By 14th September 2019, all eCommerce sites will be required to add an additional level of authentication when customers pay online.
Rather than simply asking for the information shown on the front and back of the card (details of which can easily be stolen, resulting in fraud), SCA adds additional security layers, making it harder for fraudsters to use a stolen card online.
Authentication based on the use of two or more elements categorised as;
- Knowledge (something only the user knows)
- Knowledge-based challenges (memorable phrases, date of birth, mother’s maiden name etc)
- Memorised swiping path
- Possession (something only the user possesses)
- Of device (based on unique hardware/software ID)
- SMS to device
- 2FA app on device
- Inherence (something the user is)
- Biometrics (e.g. fingerprint, FaceID)
- May include retina and iris scanning, fingerprint scanning, vein recognition, face and hand geometry, voice recognition, keystroke dynamics, the angle at which the person holds the device and the person’s heart rate.
In some ways, this is 2 Factor Authentication for payments – since there are 2 verification methods needed to authorise the transaction.
In the current state, requiring this additional 2FA style verification for every payment would result in pop-ups, cause frustration and abandoned baskets – as we’ve seen with early roll-outs for some clients.
While authentication will now be by default (not just ‘high-risk’ transactions), this ties in with 3D Secure v2.
3D Secure v2 will improve the experience;
Support for biometric authentication (fingerprint / face ID)
- Apple Pay should enable easy flow for mobile payments
- This is particularly interesting, as while traditionally mobile eCommerce has had lower conversion rates and a slower experience, this may switch around. If individual stores support Apple Pay, this won’t just meet the authentication requirement, but also passes shipping address details – saving time tapping through each checkout field and double-checking you haven’t made any typos.
Possibility of frictionless authentication flow
- The overall aim is that the customer doesn’t even realise that authentication has taken place.
- The idea here is that payment providers, banks etc will build up a ‘digital footprint’ of each customer, understanding the exact devices commonly used, locations, times of day etc, then these factors will be silently used in the background to authenticate a transaction – without the user even knowing this check even took place.
If you’re using Stripe to process payments, you’re in luck – these guys are the most ahead with developments and the most straightforward to enable SCA-compliant payments.
Using Magento? Their main free Magento extension doesn’t support SCA, but on 3rd July, Stripe released a different free extension – Stripe Payments SCA Ready. Once installed, this supports SCA, enabling retailers to meet the requirements.
Using WooCommerce? You simply need to update the plugin to version 4.2.0 or newer. This was released on 29th May 2019.
They’ve been emailing merchants since earlier this year, which has triggered some clients to become aware.
Whether or not you need to make any changes depends on the type of PayPal integration you’re using;
PayPal Hosted/Express is handled via PayPal directly, so no changes are needed.
If self-hosted, PayPal has partnered with CardinalCommerce to offer an add-on to enable the required elements.
These guys seem to be a bit behind. On 3rd July, they emailed out about the fact eBizMarts are working on an updated extension to support, but for the moment we’re still waiting – as it stands, the current eBizMarts extension has no mention of SCA support.
If you’re using Magento 2, MageNest have released an SCA-compliant payments extension for $149.
There’s also a CustomWeb extension (which works on Magento 1 or 2), with full SCA and 3D Secure v2 support. This is roughly £170.
Worldpay have released limited information on preparation and implementation, which can be found here.
The Worldpay Payments and Subscription extension for Magento 2 was last updated in February 2019, and doesn’t have any mention of SCA compliance.
Many other extensions, both free and paid seem outdated, in some cases as much as 3 years.
If you are concerned about how the SCA changes may affect your business, get in touch with us today and we can help guide you through the process.