Last weekend, on the 14th September, Strong Customer Authentication (SCA) was rolled out across the UK. This is part of an EU regulation for authenticating online payments.
The concept is a good one, as it helps prevent debit and credit card fraud, but if businesses have ignored email warnings from their providers, many could have broken payment systems this morning and even worse, some may let through some transactions and not others, depending on the implementation.
So what should you do if you take online card payments?
Firstly, many people think that an easy test you can do without involving your web developer is to try and put a real order through the system as a customer. This could work, and if there is an error it will definitely show things aren’t working, but you could also get a successful transaction (due to the specifics of your order) even though other customers may have issues. You can have an indication as to whether it works, but can’t be 100% sure with all gateways. The issue is that every payment provider implements their gateways differently.
So what should you do? Ask your payment gateway or web developers. They can either check gateway versions or will have a test mode they can activate, and special details that will trigger the checks.
So, what is SCA?
Well as part of the Second Payment Services Directive (PDS2) Europe is rolling out Strong Customer Authentication (SCA), and the UK are following.
The launch date for this was 14th September 2019, so the bank and payment gateways set the wheels in motion, and then the deadline was extended until 2020, but it seems the majority of banks and payment gateways have made the switch anyway.
When you pay for good or services, you sometimes just enter your card details, but often you get a 3D Secure pop up asking for further details like characters from a password. SCA is essentially an extension of this, and will extend the security by asking for at least two of the following:
- Something the user possesses, such as a mobile phone.
- Something the user knows, such as a password.
- Something the user is, such as a fingerprint.
This means that if a fraudster has your credit card, they can’t easily place online transactions unless they have for example your mobile phone, and know your personal data. This means fraudulent transactions should be vastly reduced.
There are exceptions, for example, low value (under €30 is suggested), low risk, or recurring transactions, but users will see this pretty much across the board.
Payment gateways have been planning this for a while as it is a major task, and should have been sending warnings to merchants, but from our experience, many of these have been ignored.
Some solutions will just work as the payment providers have done the hard work themselves, others may require some manual adjustments from your web agency, and ones on open source systems may need a plugin update.
It seems that the payment gateways have used this as a good excuse to discontinue older versions of their software, and so others may need a full upgrade.
And from now on, as a consumer expect to have more stringent checks and better security.
We are Webbed Feet, we fix broken payment gateways.