More and more people choose online shopping because it's convenient and time-saving.


In the era of globalization with rapid changes in technology, eCommerce is booming at an unprecedented speed.


That's why new security rules are updated continuously to ensure the benefits of vendors and customers.


Have you ever heard of SCA?


What is SCA?


SCA stands for Strong Customer Authentication, a new regulation for European customers when authenticating online payments. This new rule is expected to make online payments more secure.


IMPORTANT. This new rule will come into effect on September 14, 2019, as part of PSD2 (The Second Services Directives).


After that day, if you do not change your checkout flow properly, your business activities can be interrupted as online transactions are declined by your customers’ banks.


What is SCA
What is SCA


? READ MORE: The original SCA requirements - European Union Law


A new specification: 3D Secure 2.0


People are more familiar with 3D Secure 1.0 which redirects you to a new page for a code input during your eCommerce card transactions in order to ensure that you are exactly the person you say you are.


Actually, 3D Secure 1.0 is not good for your customers’ shopping experience. As you can see, the added layer of additional security can annoy your customers that leads to lower conversion rates.


Following with SCA, 3D Secure 2.0, a new specification is introduced to simplify the collection process of SCA information at the time of the transaction.


The first advantage is that it removes the clunky redirect. 3D Secure 2.0 uses certified SDKs and APIs to connect with banks and share customer data for authentication.



IMPORTANT. In April 2019, both Mastercard (Isser Mandate, Global) and Visa (Issuer Mandate, Europe) were ready for PSD2 by being 3D Secure 2.0 Compliant. It is projected that 3D Secure 2.0 will have launched in 2020 and onward.


?READ MORE: Guide to 3DS2 Authentication - Stripe


Who needs to prepare for SCA?


Obviously, if your company is located in the European Economic Area (EEA) or you serve customers in European countries, you should add this update into your must-to-do list. The United Kingdom is the only place that is uncertain about SCA enforcement because of Brexit delay.


How SCA changes the checkout flow?


1. Initiate a payment: Your customers will provide their detailed information and complete the checkout form.


2. Trigger dynamic authentication: Two-factor authentication is the core factor.



In order to accept payments with SCA, you need to build additional authentication using at least 2 of 3 elements: First, something you know (Password, Passphrase, Pin, Sequence, Secret fact); Second, something you own (Phone number; Wearable device, Smart card, Token, Badge); Third, something you are (Fingerprint, Facial features, Voice patterns, Iris format, DNA signature).


3. Complete the payment.


Basically, authentication is the added step into the payment process, right before authorization, which helps improve security for your online transactions.


?READ MORE: SCA Exemptions - LinkedIn


Different business scenarios


To illustrate the impact and application of SCA, we’ve outlined how an authentication step can fit into payment flows for different business models.


1. eCommerce: One-time payment. Card not saved.


Customers are typically charged while they’re on-session and their card information is not saved for future payments. It should be easy to add authentication into this payment flow. You just need to authenticate with 3D Secure right after customers fill in their card details and place their orders.


2. Ridesharing: Payment captured within seven days of authorization. The final payment amount may change.


Ridesharing businesses and other on-demand marketplaces can authenticate with 3D Secure right after a ride is requested by customers. At that time, they’re still on-session.


If the final amount is more than the originally authenticated, the authentication need to repeat for the increased amount. If the final amount is less than the originally authenticated, no need to authenticate again.


You can also choose to authenticate and authorize for a larger amount when customers first request a ride. However, it will create unsafe feelings for your customers.


3. Crowdfunding: Payment captured more than seven days after authorization.


For crowdfunding platforms, payments are captured when a campaign ends up successfully. You can authenticate with 3D Secure when a customer pledge to donate, and authorize and capture later.


4. Rental: Payment captured more than seven days after authorization. Final payment may change.


You should divide the payment into separate charges and authenticate with 3D Secure first for the estimated cost and later to cover any incidentals.


5. Memberships: Recurring payments. Fixed amount.


3D Secure authentication is required for the payment that starts the subscription. Remember that any recurring payments started before September 14 are SCA exemptions.


6. Utility Bill: Metered billing. Recurring payments.


3D Secure authentication is required when a customer saves their card to set up automatic payments. To do this, the customer would complete 3D Secure authentication outside of a transaction.




It’s only 4 months left for merchants to get ready for the new rule - SCA in this September. The change in the online payment sectors is expected to combating with cybercrimes and reducing online credit card frauds, which create a more dynamic and secure environment for eCommerce.