News

What is SCA and what do you need to do about it?

What is SCA?

Starting from September 14th, there’s a new regulation coming into effect for European customers which will impact online sales – Strong Customer Authentication (SCA), part of the new PSD2 regulations. It means that for every individual payment the customer makes, they may have to go through two-step authentication to confirm to their bank that they’re the cardholder.

This is intended to reduce fraud by acting similarly to two-factor authentication.

We’re in an era of new legislation being created that affects online sales, especially in Europe. Just like the GDPR changes in May of last year, for which we released the most comprehensive range of tools well ahead of time and ahead of most other platforms, you can rest assured that we’re also ahead of this.

SCA is going to be implemented slowly by EU banks – the majority of EU countries have already announced a phased rollout of these rules over the next 18+ months, and nobody expects a sudden, overnight change on the 14th.

However, your cart provider has to update their checkout process to support this new authentication step. You might have heard of the technology used – it’s called 3D Secure (3DS), and it’s an extra layer of security that customers have to enter during checkout to authenticate themselves.

If your cart doesn’t explicitly work with these new regulations, EU banks may start automatically declining charges that haven’t had this authentication step, potentially costing you thousands of dollars.

Who is affected?

Businesses and vendors located inside the EU, and selling to EU customers, will be affected by SCA and their customer’s banks will – over the next few months – start requiring this authentication step.

If you’re outside of the EU, even if your customers are in the EU, you are not directly affected by SCA, however, you may experience slightly elevated decline rates from European customers.

How is ThriveCart handling this?

We have been working with processors for several months now and engineering a solution to mean that you won’t lose any revenue.

At present, even so close to the originally planned rollout date, we’re in a unique situation where even the card networks such as Visa don’t know (or can’t tell people) exactly how much of an impact they expect this to have on customers.

The good news is, not only does ThriveCart automatically update your checkout flows to enable 3D Secure when necessary, we’re also working on advancements to improve this user experience based on how the processors feel this legislation will end up. Customers and vendors not affected won’t see any changes, and for those who are, it will be as seamless as possible.

Read below to find out how regardless of platform they use, vendors using Authorize.net to sell online will be affected.

What will my customers see?

Any customer for which 3D Secure is required will enter their card details as normal. When they click your ‘buy’ button, they’ll see a popup from their bank which will explain how they can confirm this payment – this might be by getting a text message to their phone, or generating a code from their banking app. Once they’ve done that, they will carry on through your funnel as normal.

In some cases, they may have to do this for each additional payment after the first one.

If they’re on a subscription, most payments which are the same amount each month will be exempt, however, some banks may decide to request that the customer re-authorises the payment in the middle of a subscription. If this happens, we’ll automatically email the customer to let them know, and they’ll click a link in their email and simply re-authorise the payment in just a few clicks.

(Note that subscriptions taken out before September 14th aren’t impacted and existing customers won’t have to do this!)

Does SCA affect my business?

What do I need to do?

If you’re using Stripe, the great news is, ThriveCart handles this automatically for you and you do not need to make any changes.

If you’re using PayPal, SCA does not apply, so there is nothing to do.

Unfortunately Authorize.net have decided not to implement this, even though it will cause a negative impact for their users. Despite working with them for months on this, we haven’t been able to get them to reverse their stance. Click here to read our blog post specifically about Authorize.net and what we recommend.

ThriveCart has you covered, for this and any future regulatory changes which affect your bottom line.