Strong Customer Authentication (SCA) is a new set of rules that will change how consumers confirm their identity when making purchases online. The rules apply in full for card payments, from 14 September 2021 in the UK and from 31 December 2020 in the rest of the EU. These deadlines will not change. If you do not take action, e-commerce card-based payment transactions that are non-compliant will be declined. Implementation of these new rules may require testing and specific changes to your payment process. We therefore encourage you to take immediate action to ensure you are not at risk of declined transactions which may impact your business. Urgent action should be taken by businesses with an online presence.
For further information, please see the recent UK Finance guidance statement available here.
Preparing for Strong Customer Authentication: we will enrol your Merchant ID for both 3DSv1 and 3DSv2. You will receive an email advising you that this has been done. You will then need to activate 3D Secure within your My Opayo account. We strongly recommend that you take these steps now.
Getting started with 3D SecureTest how best to incorporate SCA compliance: customers now have access to the Opayo 3DSv2 test environment. If you are using our Form or Server integrations all you need to do is activate 3D Secure in your My Opayo account. Customers on our Pi and Direct integrations will need to undertake additional development to be ready for 3DSv2.
Find out if you need to make changes to your integrationExisting Deadline: 18 month managed roll out agreed giving UK businesses, banks and online account providers more time to implement the necessary tools and processes. Businesses now have until March 2021 to become compliant. Customers should enable 3DSv1 as a minimum.
SCA your questions answeredApplication for SCA Exemptions: there are several exemptions to SCA that may be requested to improve the payment experience and reduce friction so customers don't need to be authenticated more than once. We advise you to speak with your acquirer well ahead of time to get their approval of any exemption you choose to use.
Find out more on exemptions3D Secure Step-Ups Commence: Issuers e.g. Mastercard and Visa begin to authenticate transactions using both One Time Password (OTP) and Risk Based Authentication (RBA).
Opayo supports early adopters of 3DSv2 with test functionality in our live environment: finalise testing and optimising your checkout flows. If you haven't yet enabled 3D Secure within My Opayo you will not be able to undertake this work.
Financial Conduct Authority (FCA) Guidance Applies in the UK: merchants and payment services providers are expected to be 3DSv2 ready. Steps ups will gradually start to commence from this point onwards. All transactions that do not have 3DSv2 authentication in place will fall back to 3DSv1.
EU Strong Customer Authentication Deadline: merchants based in the European Economic Area (EEA) must have 3DSv2 fully enabled. From this point, all non-authenticated online card-based payments not subject to an exemption will be declined. This also applies to UK merchants, where the customer is making a purchase with a card issued inside of the EEA.
UK Strong Customer Authentication Deadline: merchants based in the UK must have 3DSv2 fully enabled. From this point, all non-authenticated online card-based payments not subject to an exemption will be declined.