What is Strong Customer Authentication?
As payment fraud has been on the rise for a number of years, Strong Customer Authentication (SCA) is part of regulation that's designed to reduce fraud and increase the security of online payments.
An extra layer of protection is added to accounts by asking the customer to confirm more than one category of authentication.
When you make payments online through your account, your bank will ask you to confirm your identity before the payment is sent. Often this will be by asking for your passcode and a form of biometric identification, such as your fingerprint.
A form of SCA is 3D Secure (3DS), which we use at Mettle to add an extra layer of security to online transactions. When you make a transaction that requires 3DS, we’ll ask you to approve the transaction in the Mettle app before the payment is processed.
It’s important to remember that you should never approve a transaction in your banking app if you’ve not made the request yourself or you don’t recognise the merchant or value of the transaction. If you’re unsure of any transactions, contact your bank.
If you're interested in learning about ways to keep your account secure and protect yourself online, we have an in-depth Fraud advice page on our website.
How does SCA work?
When an online or contactless-offline payment is made, payment providers must make sure the person making the payment is the account holder. To reduce fraud, rules have been set to outline what counts as authentication.
SCA needs two types of authentication out of three available categories for the payment to be approved.
Something the customer knows: Their password, PIN or secret code
Something the customer has: Their phone, smart watch or a token
Something the customer is: Their fingerprint, voice pattern or facial recognition
Only when the customer has provided two of these types of authentication will they be able to complete their payment.
For example, as a Mettle customer, when you choose to buy a product online, you’ll see a 3D Secure pop up asking you to open your Mettle app to approve the transaction. By using your device and signing in with your password or biometric data, we’ll know it’s you making the transaction and we can approve the payment.
The card payment provider VISA goes into more depth on the rules around authentications of SCA on their website.
When is Strong Customer Authentication required?
Strong Customer Authentication (SCA) applies to online and contactless-offline payments within the UK or Europe when both payer and payee are in the region. However, there are a number of exemptions.
Exemptions
Most exemptions to SCA are designed to reduce issues with certain types of payments and improve the payment experience for the customer.
Some of these exceptions are:
Low value transactions (often under £25)
Recurring payments of similar value and merchant
Whitelisted transactions
Direct Debits
Secured corporate payments
Transactions deemed to be low risk
The full list of exemptions and guidelines on when SCA applies can be found on the Financial Conduct Authority website.
