SCA 101: What you need to know about this European regulation
Do you use FormAssembly to process payments in Europe? If so, you’ve likely already heard of Strong Customer Authentication (SCA). As you prepare your business and payment processes for SCA enforcement, we want to provide you with all the information you need about FormAssembly’s role in SCA and what you can do to comply with SCA requirements.
When does SCA go into effect?
While September 14, 2019 marked the official introduction of this regulatory requirement, the European Banking Authority announced in June of 2019 that national regulators for the various countries impacted can opt to delay enforcement. Many countries have chosen postponement until as late as March 2021, though Sweden, for one, will be enforcing the September 14 deadline.
Explaining SCA, PSD2, and 3DS2
SCA (Strong Customer Authentication) is a new requirement that’s part of Europe’s PSD2 (second Payment Services Directive). The requirements apply to both EU (European Union) and EEA (European Economic Area) member states.
SCA applies to “customer-initiated” digital payments made in Europe, where the cardholder’s bank and the business requesting the payment are in the EEA. Many financial institutions in the U.K. already ascribe to SCA and will likely continue to do so, regardless of how Brexit pans out.
In accordance with these new regulations, banks must start requiring additional authentication steps for applicable payments in the form of two of the three following elements: something the customer knows, has, or is. As a business, you may need to add additional authentication steps to your payment processes to be in compliance with SCA requirements.
To meet the authentication requirements and comply with SCA, you will also need to ensure that your payment methods allow for 3D Secure 2 (3DS2). This is an updated, more user-friendly version of the previous 3D Secure protocol, which enables a post-checkout step in a payment process that asks for additional authentication information.
How FormAssembly helps you with compliance
While FormAssembly itself is not required to do anything to comply with the PSD2 or SCA, we support several payment connectors for our forms and understand that many of our users are concerned with SCA requirements.
We want to help you navigate which payment connectors are compliant and make you aware of upcoming changes we will be making to our payment connectors, so that, combined with information from individual payment processors, you can make the best choices for your organization.
If you know that you need to comply with the SCA or if you are concerned about it, you may want to offer PayPal as a payment connector route on your forms. Currently, PayPal is the only payment connector we support that is fully compliant. Other payment connectors (e.g. Stripe, CyberSource) are also in the works, but as yet, we have no set deadline for these updates. We will update this blog with new developments.
Authorize.Net does not have plans to be compliant, but through our communication with them we have learned that EU Authorize.Net users will be migrated to CyberSource instead. Similarly, we have confirmed with iATS and Chargent that they have no immediate plans to be compliant.
As evidenced from the many groundbreaking data privacy and security regulations in the EU, U.S. and elsewhere, the need for compliant, secure data processing solutions will only grow, and we urge you to join us in letting these non-compliant payment processors know if their compliance is important to you.
Note: If your organization is not required to comply with SCA or PSD2 requirements, namely, if you do not process payments from European residents, you can continue to use our payment connectors as usual.
Get your SCA questions answered
While some questions may be better answered by individual payment processing solutions, we welcome you to submit any questions you have about your FormAssembly forms that accept payments to our support team. As always, we remain dedicated to helping you navigate the evolving landscape of data security and privacy and maintain compliance with even the strictest regulations.