SCA will affect your business

If your business is in the United Kingdom or Ireland, you should be aware of Secure Customer Authentication (SCA) which comes into full force in the UK from 14th March 2022.

Quoox customers will be aware that we have been ‘banging the SCA drum’ for 2+ years, with recent customer updates here, here and here.

Secure Customer Authentication (SCA) is a new level of security applied to credit/debit card transactions and required by law in Europe and the United Kingdom.  SCA does not yet apply to our North American customers, who need not read any further.  Similarly, Quoox customers in Ireland will now already be familiar with this process.

In a nutshell, when a customer makes a payment by card the bank may opt to request additional security information.  This typically comes in the form of a single-use PIN texted or sent to the customer via their banking app.  The customer then enters this PIN to confirm the transaction.  The PIN may only be used once and is not known in advance of the transaction being submitted.

This SCA process is being applied across all industries.  It has been enforced in Ireland since July 2021, and has been gradually rolling out in the UK since 1st June 2021.  It becomes fully enforced in the UK on 14th March 2022.

The SCA process is triggered by the banks in compliance with the law.  It is not a process created either by Stripe or Quoox, and all providers must comply with the process – otherwise payments will simply be declined.

The Process

When a card payment is submitted Stripe will contact the customer’s bank.  The customer’s bank will decide whether they wish SCA to be applied to the transaction, based upon their algorithms.  It is likely that most customers will be asked at least once, and that those who have previously reported fraud on their accounts will be asked more often (possibly every time).  It is also expected that SCA will be applied every time a new card is added to the Quoox system, so as to verify the identify of the owner.

Quoox customers in Ireland have been living with SCA for over 6-months, and some UK transactions have also seen SCA applied as part of the gradual rollout process.  From 14th March 2022, this will become commonplace and customers will be faced with the SCA process on a regular basis.

When adding a card
When adding a card to Quoox, there will be a high likelihood that you will be asked for additional information from the customer.  This will likely be a PIN number that they will be texted or provided via their banking app.   They will not know this in advance, and it can only be used once.  The customer must advise you of this authentication code, otherwise you will not be able to proceed adding the card.

Because of these additional steps, adding a card is only supported via the Quoox admin portal and your FitnessHub member site. It will cease to be possible to add a new card in the mobile app as it cannot support the validation processes (which vary by bank).

When taking an immediate payment
When taking an immediate payment by card in Quoox (E.g., via the store or when adding a new membership that triggers a payment), you may be asked for SCA information.  As above, this will likely be a PIN number that they will be texted or provided via their banking app.  The member will not know this in advance, and it can only be used once.  The member must advise you of this authentication code, otherwise the payment will not complete.

Membership payments
Recurring membership payments happen without the member being present.  Because of this, there is a different workflow for this situation – and it is that outlined and as required by the SCA process.

When Quoox registers a member’s card, it does so with “offline intent” flagged.  This indicates to the bank that it is expected that the card will be used with the cardholder not present.  This will, when a pattern of reliability has been established, reduce the number of SCA requests applied to the card.  Quoox has pre-emptively registered all cards on this basis since January 2020.

If a membership payment is flagged for SCA, an email will be sent to the member by Quoox.  This will include a link that they should click to login and provide their SCA approval code.  The membership payment will then complete.  If they do not complete the process, then payment cannot be taken.

Important notes

  • It is important that members can reliably receive emails from Quoox.  It remains a general recommendation that members are encouraged to add your facility Quoox email address to their email contacts list, as this helps reduce emails being routed to ‘spam’ or ‘newsletter’ folders.
  • It would be beneficial to advise customers of the SCA process in advance, so they know it’s coming, and will know that the Quoox email is legitimate (I.e., not a scam).  Unfortunately there will likely be lots of scam emails going around during this period, as scammers will be taking advantage of customer confusion over this process.

The impact and alternatives

Reviewing statistics for our Irish customers, SCA seems to impact (on average) roughly 20% of transactions per month.  Those members who provide the SCA authentication information appear to then not be asked again for some time, although a few appear to be asked to provide it every time.  These people have possibly suffered previous fraud, or are deemed ‘high risk’ for some other reason.

As is routine in our industry, the majority of payment declines remain because of “insufficient funds”.

An alternative to card payments in the UK is Direct Debit.  Quoox has always supported Direct Debits for all customers via GoCardless.  Direct Debits are not subject to the SCA process.  Often they also come with lower transaction fees.

With over a month until SCA comes into full effect in the UK, there is still time for Quoox customers to have their member’s setup Direct Debit mandates in their FitnessHub site.  All memberships set for payment by card will automatically use the Direct Debit method first if a valid mandate is found on the member’s record at the time of transaction.

Don't panic

Whilst the SCA process is likely to be a little bit tedious (certainly to start with), it is something that will become accepted as ‘the norm’ and is not anything anyone; any bank; or any software provider can circumvent.  It is a legal security requirement that applies to all industries for card transactions.

Quoox customers and members in Ireland have done a great job to adapt to the processes, and there is no reason to expect that it will be any different in the UK. Increased success will come from good communication with your members, and advising them of the process in advance.  Many companies will be contacting their customers similarly over the coming weeks, and it is likely that SCA will be covered on the news networks also.

Payment Declines and Sleeping Members

Most facilities have at least a few ‘sleeping members’.  Now is the time to be aware that SCA will likely ‘remind’ dormant members that they are paying a regular subscription, and will provide them a simple method for declining transactions.

It remains the case that any customer has the right to decline a payment, even if they owe that money.  The legal position is (roughly) that recourse is through a legal claims process, and that money may not be taken against the customers consent.  This is nothing new, but is often a surprise to many suppliers.  SCA doesn’t negate contractual obligations, but no supplier should take a payment without the customer’s permission.

If your facility has ‘sleeping members’, it may be prudent to consider trying to coax these members back into the fold, or to factor-in that a percentage may decline payments when presented with SCA.

Quoox is not in a position to provide any legal guidance, and a qualified legal professional (such as a solicitor) should be consulted for detail and clarity of rules and options.

Fully rolled-out from 14th March

Whilst SCA is a European initiative, all indication remains that the UK will continue full rollout on 14th March 2022 as planned.  Gradual rollout has continued, so there is currently no reason to believe the process will be halted.

At the time of writing this article, there is 1½ months until full rollout.  This gives plenty of time for communicating with members and, if you wish, encouraging a greater use of Direct Debits.

For absolute clarity, this process applies across the UK and all industries.  It is not something over which Quoox, Stripe, or the banks have any control.  Quoox has presently been setup to follow the documented SCA processes and rules.  As outlined above, this has been in operation in Ireland since mid-2021 and the workflow has been working as designed.