Strong Customer Authentication (SCA) is a requirement for authenticating online payments that were introduced in connection to the EU’s revised Payment Services Directive (PSD2).
Essentially, it requires banks to request additional forms of validation to confirm that your customers are who they say they are, through two-factor authentication.
It has been created to make online payments within Europe more secure, reducing the chances of payment fraud.
SCA will verify a customer's identity through the form of two-factor authentication. The customer will be able to confirm two out of the three authentication categories (Knowledge, Possession and Inherence).
This will mean that the checkout process in Billsby will be more secure for our users, and their customers.
Payments of a fixed or variable amount originating from the merchant, where the payment is made with a saved card, such as recurring payments and subscriptions, are out of the scope of SCA.
Meaning, your customers will only need to go through the 2FA process at the point of sign up, or when they’re updating their payment card.
At the moment Billsby only supports SCA for Stripe, but we’ll be adding SCA for our other supported gateways over the coming months.
To enable SCA within Billsby head to Settings > Configuration > Payments > SCA
Before enabling SCA, please ensure that the Managing Transaction ID feature is enabled in your Stripe account. To have this turned on, please contact Stripe support. Please note that If this feature is not enabled before you continue, ALL billing will stop working, not just SCA-related billing.
To use Stripe 3DS, you must create an 'Endpoints receiving events from your account' webhook endpoint. This will be used to notify us about changes to a payment intent’s status. To create the webhook:
- Open the Webhooks page in your Stripe account.
- Click Add endpoint.
- Add the following URL in Endpoint URL: https://core.spreedly.com/stripe/webhooks
- Select events to listen to by clicking on + Select events. This will open a pop up where you can choose the events available. You'll need to choose these eight:
- Make sure you do not check the box that says Listen to events on Connected accounts.
- Click Add endpoint.
Once you’ve saved your webhook endpoint, you’ll need to provide us with the webhook_id and the webhook_signing_secret
The webhookid needs to be extracted from the last segment of your URL. The Stripe webhook id begins with we and then continues to the end of the URL, for example we_1EYfxCAWOtgoysog3lIoCESp.
To find your Stripe Secret Key, navigate to the Developer tools menu, then go to the API Keys. Your Secret Key is located under the Standard Keys section. You can read more about Stripe API keys in the Stripe documentation here.
Initiating the test transaction
After you've enabled SCA, in order to confirm that your gateway is SCA ready, we need to perform a test transaction to make sure everything is in working order.
When performing the test transaction, you’ll be asked to provide payment details so we can process a $0.50 charge through your SCA-enabled gateway. If your gateway is SCA ready, you should be automatically taken through the SCA process. Once the test transaction is complete you’ll be directed back to this screen and we’ll issue you with a refund for the transaction amount.
Once SCA has been successfully enabled, you'll want to make sure all of the currencies you trade in that require SCA authentication are assigned an SCA-enabled gateway.
You can do this at the bottom of the SCA configuration page once it has been enabled, or by navigating to Settings > Configuration > Currencies.
SCA will be required where the merchant’s payment services provider and the customer’s bank or card provider are both located in the European Economic Area (EEA). If either is located outside the EEA, the payment services provider is required to use its ‘best efforts' to apply SCA - but it won’t be mandatory.
ONO payments - where only one party is based in the European Union - fall outside of the scope of SCA. This includes all payments where either the merchant/acquirer or the issuer are based outside the EEA.
Payment services providers operating in the UK have been given a further six months to implement ‘strong customer authentication (SCA) standards for e-commerce transactions. A backstop deadline for compliance of 14 March 2022 now applies.
Importantly, for US-based companies, One Leg Out (ONO) transactions are not subject to SCA. So, US-based merchants selling to EU customers are exempt - for now.
As the EU's efforts have already spread to other countries, we’ll be keeping a close eye on discussions around SCA in the US. Australia, Turkey, and Mexico have already adopted, or are actively considering, SCA regimes. And should a country subject one-leg-out transactions to SCA standards, it could have knock-on effects for US merchants too.
How are SCA failures handled?
Each time you make a payment request in an SCA country, we have to ask the bank to authorize the payment following Secure Customer Authentication rules.
Whilst for recurring payments, the charge will usually go through without intervention, there’s a risk that the bank will request a security check. When this happens, the customer will need to go through the SCA process manually for the payment to succeed. In the event of a security check request causing payment to fail, your customer will enter the regular declined payments dunning flow.
Unlike a declined payment a payment failure caused by SCA is not the customer’s fault. Because of this when a payment fails due to SCA we’ll replace the current dunning flow emails with a set of bespoke emails providing your customer with information about the payment failure.
Can SCA be removed once it has been added?
No. Once you have created an SCA-supported gateway, it cannot be removed without deleting the gateway.
Why can't I manually add payment details to a customer ?
When your payment gateway is SCA enabled, you will not have the option to add payment details to customers manually, as 3DS2 authentication must be completed by the customer.
However, you will still be able to send your customer a payment details request link.
Updated 8 months ago