This article presently applies to Quoox customers in the UK and Ireland only
Over the last few months we have all been receiving messages from our banks telling us to make sure we have their apps installed and up to date, and that we have our contact details and mobile numbers correctly registered. This is all part of SCA (Strong Customer Authentication) and is something that will impact every business that takes card payments.
SCA has been in the pipeline for some time, and has been pushed back, and pushed back. However, it now appears that it is starting to rollout – firstly in Ireland and then across the UK.
What is Strong Customer Authentication?
In a nutshell, Strong Customer Authentication (SCA) is an additional layer of payment security that banks will be legally obliged to add into credit and debit card payments. Whereas, presently, the items required to make a payment are the card number; name; expiry date; CVV code and, sometimes the address, going forward the address will always be required plus an additional piece of information that even the customer doesn’t know until the point they attempt payment.
SCA is very much like 2-factor authentication, where a code is generated (or provided) that you then enter to confirm your transaction. Some banks will generate these through their apps. Others will send the customer a code by text.
What is the impact?
The potential impact is potentially huge, and the process will add a further step into card handling procedures. The biggest potential impact for Quoox customers is in the processing of recurring membership payments by card.
Can this be minimised?
SCA provides an optional process for recording a card for “offline” use. This is a “flag” set against the card when it is recorded and validated, and it essentially requests that the cardholder bank suppress additional authentication for the card. Quoox has been setting this flag against all cards from the day the product launched.
The important thing here is that this is a request. The cardholder bank is under no obligation to honour it, and there are several factors that will impact whether they do. These include the history of fraud on the cardholder’s account, and your standing as a business. If you have a high ratio of refunds, this may also play a part in the banks decision to require validation.
The decision to require validation is determined automatically by a bank algorithm, and there is no human involvement in the decision making process.
How will this manifest itself?
You will start to see SCA in several places.
Firstly, when you (or a member) add a card into Quoox, it is likely that you will be asked to provide the additional validation information. This needs to be provided at the time, and thus the cardholder will need to provide you with this information. To do this, they will require access to their mobile phone and their bank’s validation process.
Secondly, for ad hoc charges you may find that you are sometimes asked to provide the validation code for the transaction. It is expected that the banks might skip this for smaller transactions, but this shouldn’t be assumed to be an absolute rule as other factors will also determine whether the bank requests additional validation.
Thirdly, and the most inconvenient, is in the handling of the recurring membership payments. For these, the cardholder is “not present”, and thus any request for additional validation cannot be fulfilled immediately.
What is the process for recurring membership validation?
Membership payments happen in the background, and overnight. The member is not present when these are processed. Therefore, if the bank requires additional validation for a membership payment, Quoox has implemented the recommended process for handling these requirements.
If Quoox receives the notification that a membership payment has been temporarily declined “pending verification”, the member will be sent an automated email advising them that they need to take additional steps to verify their payment. A link will be provided in the email which the member will click. They will be taken to FitnessHub, and the details of the payment to be taken will be displayed.
The member will be able to enter their validation code, which they will receive from their bank by SMS or via the bank app, and Quoox shall re-submit the payment for authentication along with the validation code. At this point, provided there are available funds etc., the payment should then clear.
How many memberships will need validating?
It is presently impossible to know what percentage of the “offline” payment requests the bank will honour, and how many they will pass for validation. Where we have seen this start to roll-out in Ireland, most requests appear to be honoured, but there are a handful passed for validation.
I don’t want SCA, how do I stop it?
You can’t. SCA is a legally mandated process that the banks are obligated to implement. In turn, the merchant banks (in our case, Stripe) and the transaction instigator (Quoox) have to also honour the process, otherwise payments are simply declined.
SCA has been delayed several times as it has such significant implications and brings many inconveniences, but it does now appear to be moving forward. This also appears to still be the case for the UK, regardless of Brexit.
What alternatives are there?
Direct Debits are an alternative method for members to pay their memberships, and Quoox integrates with GoCardless. It is an incredibly simple process for members to setup their DD’s via FitnessHub, or for the facility to set them up for them.
If a member has a DD setup, this will be used in preference to the card on file.
At this stage, and not knowing what the “real world” impact of SCA will be, Quoox suggests that its customers strongly consider encouraging their members to implement Direct Debits for their membership payments. Direct Debits are presently not subject to the SCA processes, which relate to card payments only.
For avoidance of doubt
For absolute clarity, these processes are not something that either Quoox or Stripe (our card handling partner) have any control over. They are a legal requirement and the processes are triggered by the cardholder bank. Quoox and Stripe simply implement the associated processes which, if ignored, simply result in the card being declined.
Since its launch, Quoox has taken every step available to mitigate and minimise the impact of SCA, but we are expecting a percentage of membership payments to be sent for additional validation. What percentage this will be is yet to be seen, but completion of the payment can only be achieved by the member providing additional validation information.
SCA is rolling out across all industries, and any and all software that takes card payments will be effected.
As and when Quoox learns more about the implementation and experiences of SCA, we will provide further updates.
In the meantime, we re-iterate our suggestion that facilities consider adopting Direct Debits as the primary method for their membership collection.