Strong Customer Authentication (SCA), a rule in effect as of September 14, 2019, as part of PSD2 regulation in Europe, requires changes to how your European customers authenticate online payments. Card payments require a different user experience, namely 3D Secure, in order to meet SCA requirements. Transactions that don’t follow the new authentication guidelines may be declined by your customers’ banks.
Strong Customer Authentication brings about important changes to credit/debit card processing for companies in Europe including the UK (regardless of Brexit). The rules were slated to originally take effect several months ago, but were delayed due to implementation problems. For several European countries, the enforcement of SCA started on 1st January 2021.
Whilst SCA is not scheduled to start gradual rollout in the UK until July 2021, we have this morning had one client experience the effects of SCA on two different bank transactions. It therefore appears that either it has accidentally rolled-out through some banks (maybe just to some transactions), or perhaps there is an IT glitch with the rollout. Nevertheless, as a result, we want to bring you up-to-speed with what this means for you…
The good news
Since its first release, Quoox has been “SCA ready”. We worked with Stripe to ensure that we used their SCA ready processes, and they verified to us that our implementation meets SCA requirements.
This means that, without knowing, all of our customers have already been following SCA processes when adding cards and taking payments.
When you add a card to Quoox, we request “offline authorisation”. This means that, in theory, when we attempt to charge the card without the cardholder present (E.g for memberships) the bank should grant us authorisation without the need for additional SCA security.
However, this is granted based upon the bank performing risk analysis of the customer (you) and the payer (your member). Therefore, in some circumstances, offline payment might be declined pending further authorisation. This risk analysis is done by VISA; Mastercard; AMEX etc., not Stripe and certainly not Quoox.
How does SCA manifest itself?
You and your members may see SCA crop up in several places.
When you add a card to Quoox, there will be increasing likelihood over the coming months that you will be asked to provide additional information known only to the cardholder. For some banks, and certainly initially, this might be as something as simple as a few characters from a password. Going forward, and quite soon, it will move to be either a code texted to the member’s registered mobile device, or they might be asked to perform a function in their banking app to generate the response code.
The cardholder will not know this code in advance, so you will need to be able to communicate with them at the time the card is added. Of course, if they add the card themselves through FitnessHub they can complete the process themselves.
Additionally, on some payments you might get asked to provide the information. This could be anything from credit purchases to store payments. If the card has already been validated, Quoox requesting offline payment will minimise these occurrences.
The most tedious manifestation of SCA will be if a bank deems that a “cardholder not present” transaction (such as a membership payment) requires additional authentication. There is a documented process to handle this, which Quoox implements on your behalf:
- An automated email is sent to the member advising them that a payment requires additional validation.
They will be given the payment details, and a link. This email can be administered in your System Templates, and has always been present.
- The member follows the link, which takes them to your FitnessHub.
- For security, the member is required to log into FitnessHub to verify their identity.
- The member will review the payment, and click an “Authorise Payment” button.
- The cardholder’s bank will ask for additional validation information and, once approved, the transaction will be authorised.
There are some circumstances in which a transaction will be exempt from SCA. These are documented here.
Quoox automatically requests an exemption be applied, but the decision as to whether it is lies with the authorising bank. Exemptions might not be honoured if, for example, the cardholder has previously received refunds to their card from you.
Who’s “genius” idea was this?
We have the European Parliament to thank for these additional hurdles to everyday business. The idea is that it would be more secure for the cardholder, but more comes down to the liabilities being placed on European banks by the European Parliament, and the banks’ attempts to mitigate their risks.
This is not something being put in place by Quoox nor by Stripe. All merchant service providers are beholden the same laws, and Quoox is implementing the recommended processes for handling the obligations.
What we’re presently uncertain of is why a few transactions have fallen prematurely into SCA compliance. These requests are originating from the bank, not Quoox nor Stripe, but might be in error with the UK not due to start rollout until July 2021.
The current guidance we have is that Brexit will not stop these processes from rollout. Had this affected fishermen, it might have got more of a look-in to Brexit negotiations.
The Direct Debit alternative
Don’t forget that you always have Direct Debits as another option for membership payments. It’s really easy for member’s to setup a mandate via your FitnessHub, by simply selecting “Add a Direct Debit Mandate” from the “My Account” menu.
If a member has a DD recorded on their record, this will always be used in preference to the payment cards (even if “pay by card” was selected when adding the membership).