SCA – Does your payment gateway still work?

On the 14th September, SCA (Strong Customer Authentication) was installed throughout the UK.  This is part of an EU regulation for authenticating online payments.

The concept is in theory be very good one, as it helps prevent  credit card fraud.  However, some businesses have ignored email warnings from their payment gateway suppliers, many could have broken payment systems or may let through some transactions and not others.

Payment gatewayWhat should you do if you take payments online?

You could of course just test the payment gateway and see if a transaction goes through. This potentially ‘could’ work. If an error is shown then you will obviously see it. However,  you could also get a successful transaction even though other customers may have problems and not be able to complete their order.  Unfortunately every payment provider implements their gateways differently.

The first thing to do is to ask your payment gateway provider (paypal/Stripe etc) or your local web developer.  They can check your website to ensure the payment code or any associated plugins are compatible with the new SCA regulation.  If you don’t have a web agency we can always help, just get in touch.

So, what is SCA?

As part of the Second Payment Services Directive (PDS2) Europe is rolling out Strong Customer Authentication (SCA) and the UK are also following suit.

The official launch date was 14th September 2019 so the bank and payment gateways have started implementing and then the deadline was extended until 2020.  Most payment gateways and banks have made the switch anyway.

So, when you pay for items online you you would normally just enter your credit card details.  Sometimes you may have seen a 3D Secure pop up asking for further details like characters from a password.  SCA is basically an extension of this and will ask for at least two of the following to ensure the transaction is successful:

  • Something the user knows (a password)
  • Something the user owns (a mobile phone)
  • A fingerprint

So if someone has stolen your card, they can no longer place online transactions unless they have your mobile phone, and know your personal data.

There are some exceptions.  Lower value and lower risk transations for example may not be subject to this extra authentication.

Payment gateways have been planning this for quite some time and warning messages have been sent to end users, but these are easily ignored.

Don’t ignore this new regulation, contact Logic Red Web Design today to ensure your payment gateway is compliant.