SCA Authentication v Authorisation

SCA: Authentication v Authorisation

Strong Customer Authentication or SCA, is an EU mandate for payments made in the European Economic Area (EEA). It has been introduced to increase customer protection from fraudulent activity and to generally make the payment process safer and more secure.

While SCA has already come into effect, the deadline has been extended to the 14 March 2022 in the UK for full enforcement of the law. If you are concerned that your business is not yet compliant with the mandate, don’t worry you still have time to act!

With the extension of the deadline in the UK to help support merchants who may have faced impact from Covid-19, you will have more time to update your online transaction process. If your customers are using cards that have been issued in the EU, then you will need to act much sooner to meet the 31st of December 2020 deadline.

3D Secure authentication takes the form of one of two possible flows; SCA, known as the challenge authentication flow and the frictionless authentication flow. Authorisation comes after this process, right before the transaction is completed.

Authentication: Is the process of determining whether the customer is indeed the person they say they are. This can be determined in a number of ways.

Authorisation: This is the request made to the card issuer to approve the transaction after the 3D Secure checks have been completed. If there are sufficient funds in the customer’s account and all personal details have been verified successfully, the transaction will be approved.

During the eCommerce transaction process, a customer’s identity must be validated in order for the payment to be confirmed. One of the world’s most commonly used authentication solutions, 3D Secure, helps facilitate the exchange of data between the customer, the merchant and financial institutions.

For further transaction security, there are now more improved protocols put in place in 3DS versions 1 and 2 for easier, more secure checkouts. With 3D Secure 2.0, merchants can look forward to taking a higher number of frictionless transactions, without challenging the customer unnecessarily or declining the transaction.

What is Authentication?

3D Secure authentication is the process of proving that the customer is who they say they are. An important step taken to prevent fraudulent transactions,  authentication can be achieved by a number of different factors.

These can include the device the customer is using, their IP address, their time zone, email address, phone number and many more different pieces of information that the card issuer has regarding the cardholder.

If this information matches, card issuers will typically treat this as low risk and authenticate the transaction without the cardholder needing to undergo SCA. This is known as frictionless authentication or risk based authentication.

If the information does not match, the card issuer will treat this as high risk and request the cardholder performs SCA. This is known as challenge authentication and the customer will be redirected to their card issuer’s challenge page for them to undertake SCA through two- factor authentication (2FA).

The cardholder can provide 2FA from a set of three factors which are: Knowledge, Possession and Inherence. These are a part of the most important criteria that must be met when implementing the multi-factor authentication process.

Knowledge -

Something only the cardholder knows. It is one of the more commonly used methods to determine a person’s identity. This information can be knowledge factors which will come directly from the customer themselves - such as PIN codes, passwords and answers to secret questions.

Possession -

Something only the customer has. The possession factor is another form of authentication. These essentially take the form of a user’s physical belongings and are most commonly hardware devices, such as mobile phones or keycards.

Inherence -

Something only the customer is. This factor is based on the cardholder’s physical and behavioural biometrics. The inherence factor is essentially what makes you, you. This is a more physical form of evidence and refers to your facial features, fingerprint, voice or even a scan of your iris.

Originally launched by Visa, the 3D secure authentication or 3D secure, is used as an extra layer of security when taking card payments online. In recent years, there has been an increase in fraudulent activity for eCommerce payments, mainly due to a low uptake on 3D Secure along with breaches with basic 3D Secure version 1 (3DSv1) passwords. Cardholders were also susceptible to phishing attacks, allowing fraudsters access to sensitive card data.

With the introduction of new security protocols by the EU, both the updated 3D Secure version 1 and the new version 2 are expected to be used by merchants to become compliant with legislation. While previously 3DSv1 used challenge authentication, the new 3DSv2 supports frictionless authentication and low friction challenges along with a two-factor authentication process to ensure that the customer experience is improved and completely secure.

The previous issue with challenge authentication was that customers would be required to enter static passwords that would often be forgotten. Additionally, under 3D Secure Version 1, every 3DS authentication is a challenge from the merchant’s perspective.

Nowadays, with 3DS Version 2 frictionless authentication, the merchant no longer has to redirect the cardholder to the card issuer’s challenge page for every 3DS authentication request. In most situations, the card issuer will have enough data on the cardholder to complete the transaction without having to refer them back to their site for the two-factor authentication.

With authentication effectively occurring behind the scenes, the customer experiences a quicker and more satisfactory transaction experience. However, there may be some rare instances when the issuer is not confident in approving the transaction in which case the cardholder may be given a soft challenge, such as a one-time password sent to their phone.

What is Authorisation?

In the online payment journey, the authentication is only the first part of the process. Once the payee has been authenticated, there will be a process to authorise the payment to the merchant.

The initial authorisation request is made when the merchant asks the card issuer to approve the transaction after security checks are complete. The card issuer will then ensure that the merchant has received all the correct details from the customer. This includes information such as the billing address, post code and security code, along with the 3D Secure authentication result. 

Provided that all of this information is correct, the card issuer will approve the transaction. This will therefore result in the amount being taken from the cardholder’s available funds. This amount is set aside so the cardholder cannot spend it elsewhere and will show as a pending transaction in the cardholder's bank account. 

Merchants will not receive this amount yet as this will come once settlement is requested. Settlement is requesting that the card issuer releases the funds for the amount they have approved to your acquirer, who in turn settles the funds to your bank account.
If the customer does not have sufficient funds, the payment will be declined and the transaction process stopped

Conclusion

Whilst there is still some time before the new SCA regulations are legally enforced, it is important to begin the process of switching to a more secure payment process to protect your business and customers equally.

While the previous challenge authentication process may have slowed down the payment journey for eCommerce customers, the new frictionless authentication through 3D Secure 2.0 offers 10x more data to support enhanced risk based decision making for card issuers.

Furthermore, with an effective authentication security layer, businesses can take protective measures against fraudulent activity and unnecessary declined payments.

For further information on SCA, please see our strong customer authentication hub here,  contact us online or call 0191 313 0299 to speak to our dedicated 24/7 support team.