Due to essential system maintenance, users will be unable to login to the UK Finance website from 09:00 - 13:00 on Thursday 3 December 2020. During this period users will also be unable to book onto events or view member-only content. UK Finance apologises for any inconvenience this may cause and we look forward to welcoming you back soon.

Thank you.

Strong Customer Authentication - Frequently Asked Questions

The Strong Customer Authentication (SCA) PMO team has produced these FAQs to aid understanding of SCA. If you have any further questions not answered below, please contact SCAPMO@UKFINANCE.ORG.UK

Strong Customer Authentication (SCA) is a new set of rules that will change how you confirm your identity when making purchases online. Next time a customer shops or banks online, they may need to undertake an extra step to confirm it is really them. This could mean a bank or provider using a number of ways to verify a purchase or login such as a passcode via text message, receiving a phone call to their landline, a card reader or using your banking app on your smartphone. SCA is being introduced to help further reduce fraud. With an increasing number of purchases being made online, these new rules will provide the extra protections necessary to ensure that customers are safe when purchasing online and their money is better protected.

These rules will apply to customers when making an online purchase or banking online. When buying items from online retailers, they may receive a text message from their bank or provider containing a passcode. Customers will then be prompted to enter this code on screen before payment will be taken.

Banks or providers may also offer alternative ways of authenticating. These can include a call to a landline phone, a card reader, or using your banking app on your smartphone.

When using online banking, customers will be asked to verify who they are in a similar way as for online shopping. If the customer banks via an app they may have already provided the authentication needed by using their fingerprint, a code, or facial recognition to log in. Customers may not be asked to prove their identity in this way for every purchase or transaction.

You can find the SCA UK Implementation and ramp up plan here.

This is UK only, the UK Finance SCA Programme team has developed the revised detailed implementation plan and the high-level plan. UK Finance urges all stakeholders active in e-commerce to take note of the various deadlines and the introduction of a gradual SCA ramp up from 1 February 2021 with all journeys starting on 1 June 2021 which will require all parties to be ready by the end of May 2021. The SCA UK Implementation and ramp up plan can be found here.

There will be differing requirements due to the SCA enforcement deadlines of the EU (31 December 2020) and UK (14 September 2021) being different. Please refer to the full UK Finance SCA UK implementation and ramp up plan here. For further details or visit the EBA website.

Yes – for more information see UK Finance SCA Guidance document section 1.2 here. UK Finance will further clarify in our second version of the guidance which will be published in due course.

UK Finance is working with the FCA on an ongoing basis to ensure clarity is provided to the UK market. If there are specific areas of concern, please contact the UK Finance PMO by email scapmo@ukfinance.org.uk

The original enforcement date was March 2021. The FCA has allowed an extension to 14 September 2021.

However, parties engaged on e-commerce card-based payments need to enable all SCA flows in readiness for the full UK SCA Ramp up due to start on 1 June 2021. The UK Finance SCA UK Implementation and ramp up plan can be found here.

The UK Finance SCA Programme team has developed an industry implementation plan. UK Finance urges all stakeholders active in e-commerce, including e-merchants, to take note of the various deadlines and the introduction of a gradual SCA ramp up which will require all parties to be ready by 1 June 2021 in order to ensure the customer impact is minimal. The full SCA UK Implementation and ramp up plan can be found here.

No, this is not the case – see the full SCA UK Implementation and ramp up plan here.

The expectation is that by 1 June 2021 all ecommerce transactions should comply with SCA. This means ecommerce transactions need to be sent via 3DS or directly to authorisations with the correct flag (exemption or out of scope), but not that all in scope transactions will be subject to full SCA.

The EU enforcement deadline is generally 31 December 2020, and as such testing may need to be in place before the EU deadline comes into force.

Unless a transaction is out of scope or an exemption applies, providers must apply SCA in specified scenarios, i.e. where a customer:

a) accesses their payment account online;
b) initiates an electronic payment transaction; or
c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

All electronic payments initiated by the payer are covered by the scope of the SCA requirement, unless one of a limited number of exemptions applies. This scope is broad as it covers both remote and face-to-face electronic payments initiated by the payer and extends to all channels or devices through which initiation occurs, so including payments made through a browser, mobile, in-app, devices using the Internet of Things (IoT), as well as payments made via a terminal where the data extracted in relation to the payment is all electronic. For full details of scope, see UK Finance SCA Guidance document section 2 here.

This can be found in section 2 of the UK Finance SCA Guidance document which can be found here.

Payee or card-based merchant-initiated transactions (MITs) are out of scope of the requirement for SCA and do not need to rely on an exemption. They include direct debits or card transactions, where the transaction is initiated by the payee only.

However, if the authority for the payments is given electronically (such as with online subscription services), then the action of granting the authority will be caught by the SCA requirement under the third 'other action' requirement of SCA.

In certain use cases, the payment authority will have been given on paper and so will be out of scope for that reason.

For more information refer to the UK Finance SCA Guidance document section 2 which can be found here.

For guidance on one leg out transactions refer to the UK Finance SCA Guidance document section 2. which can be found here.

Direct debits of fixed or variable amount that are initiated by the payee only without any direct intervention from the payer are out of scope of SCA, the mandate when created through a specific e-mandate scheme requires SCA. For further information refer to the UK Finance SCA Guidance document section 2 which can be found here.

For more information refer to the UK Finance SCA Guidance document section 2 which can be found here.

SCA means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.

Further guidance on what counts as inherence has been included in the UK Finance SCA Guidance document section 6 and can be found here.

Further guidance on what counts as knowledge has been included in the UK Finance SCA Guidance document section 4 and can be found here.

Card issuers need to determine the best approach to take, within their own security and risk appetites. The FCA has indicated a preference for the industry to prioritise strategic solutions. For further guidance, refer to the UK Finance SCA Guidance document section 4 which can be found here.

Further guidance on what counts as possession has been included in the UK Finance SCA Guidance document section 5 and can be found here.

In the context of card-based payments SCA-compliant transactions can be sent directly via authorisations (where relevant) as long as they are flagged correctly (with an exemption or as out of scope).

The focus of the rollout is a technology called 3DSecure which will help to facilitate the authentication of the majority of card-based transactions. However, there are other SCA compliant solutions available in the market, such as those provided by Payment Initiation Services (e.g. through Open Banking), Apple Pay or Google Pay as well as other potential solutions.

UK Finance produced a webinar which can be viewed on demand and discusses 3DS in greater detail and the differences between the versions of 3DS. It can be found here.

No – 3DS is not mandatory. 3DS enables the issuer authentication and usage of exemptions for ecommerce transactions, however ecommerce transactions can still be sent directly via authorisations in a complaint manner as long as they are flagged correctly.

There are other solutions available, the focus of the rollout is a technology called 3DSecure which will help to facilitate the authentication of the majority of card-based transactions. However, there are other SCA compliant solutions available in the market, such as those provided by Payment Initiation Services (e.g. through Open Banking), Apple Pay or Google Pay as well as other potential solutions.

Issuers will only decline/soft decline non SCA-compliant transactions. SCA compliance can be achieved via 3DS or by sending transactions directly to authorisations with the correct flag.

From 1 February 2021 issuers should begin a gradual activation of various transactions and SCA step ups commence.

Commencing 1 June 2021 until 14 September 2021 there will be a full ramp up to SCA, meaning all parties need to be ready to comply with every aspect of SCA by 31 May 2021.

From June 2021 transactions will be randomly checked by issuers on an increasing basis to determine whether they are SCA compliant and may be soft declined if they are not.

From 14 September 2021 – full SCA enforcement will be in place.

UK Finance cannot mandate any particular solution and it is the decision of each Payment Service Provider (PSP) as an issuer to define their authentication solutions and to satisfy their own security requirements and risk appetites. The majority of issuers will be leveraging their mobile apps in order to authenticate most customers but need to provide alternatives that work for customers.

For more information refer to the UK Finance SCA Guidance document sections 4 and 5 which can be found here.

Behavioural biometrics have been used for risk profiling historically. However behavioural biometrics as an authentication factor is relatively new, and issuers are encouraged to engage the different suppliers in the market as part of their risk assessment. Behavioural biometrics are already being utilised in online banking as part of risk-based authentication strategies.

Data maturity is one of the key challenges for any behavioural based approach, and any approach needs to be consistent with the principles proposed by UK Finance and the regulator. The number of transactions and information required to build an acceptable profile will depend very much on the issuer’s solution and risk appetite.

The FCA has acknowledged that behavioural profiles will take time to be established and results will be weaker in the first instance.

However, the recommended industry position is the use of behavioural biometrics as the second factor in authentication, with no fall back (for scenarios where the use of behavioural biometrics is not feasible). The Financial Conduct Authority supports the development of strategic solutions that are good for customers and businesses and has welcomed the industry’s suggestion to focus on behavioural biometrics as second factor to an OTP solution

Based on this June 2019 EBA Opinion the minimum viable proposition (MVP) recommended is for issuers to leverage 3DS flows and integrate their chosen behavioural biometric solution via the ACS provider (if applicable).

Issuers, can, however, work with their ACS and behavioural biometric suppliers to enhance current 3DS flows so that extra customer data (e.g. email address or cardholder name) is captured providing additional data for enhanced behavioural biometric profiling.

Issuers will need to ensure that their final implementation solution complies with all the relevant requirements.

Ensure that data collected and processed as part of their chosen solution meets the minimum standards set by the EBA and in compliance with the FCA’s requirements set out in its Approach Document.

UK Finance has produced a second factor guidance document with more details, this can be found here.

UK Finance encourages issuers to review, with the relevant vendors, the different scenarios required to enable behavioural biometrics as it will depend very much on the supplier’s solution and issuer’s risk appetite. There are a number of free pre-recorded vendor showcase webinars available to view which can be found here.

UK Finance cannot endorse any solution or class of solutions. UK Finance and the FCA support strategic solutions for the industry and have done extensive work with the industry on the risks and benefits of particular solutions. It is the responsibility of PSPs to find their own solutions depending on their own circumstances and risk/security appetite.

The FCA has acknowledged that this will be a gap for day 1 – for more information see the Strong Customer Authentication: Considerations for what can be used as a second factor alongside One Time Passcode (OTP) here.

The European Banking Authority (EBA’s) Opinion in June 2019 clarified that card details could not be considered a valid factor. This position has an impact on card issuers using an OTP solution, sent by text or via landline when the solution relies upon possession as one factor (the OTP sent to the customer’s pre-registered mobile device or landline proves that the customer is in possession of the mobile device or landline).

As a result, card issuers will require a second factor (either inherence or knowledge) over and above the OTP solution to comply with SCA.

With the introduction of SCA, there is a need for participants within the payments ecosystem to be cognisant of the wide variety of consumers and the ways in which they access goods and services. While the move to digital continues to make advancements, issuers are asked to consider alternative authentication options available to consumers who have poor mobile reception, making it difficult for them to receive an SMS OTP in the context of authentication. Equally there will be some consumers who choose not to have a mobile phone or specifically those without smartphones where other approaches such as authentication via a mobile app may inhibit a consumer from performing an e-commerce transaction. It must be acknowledged that not all customers are able or chose to use biometric solutions.

However, issuers have the flexibility to define the best authentication solutions.

There is a full list of exemptions and more information in the UK Finance SCA Guidance document section 9 which can be found here.

Exemptions will be applied by the payer’s PSP (ASPSP) where required. A number of exemptions can only be applied by an authorised or registered PSP. The term ‘PSP’ includes issuers, acquirers or other authorised parties (as defined under PSD2) in the payment chain. Merchants cannot apply SCA exemptions in their own right. For more information refer to the UK Finance SCA Guidance document section 9 which can be found here.

For more guidance on SCA exemptions, refer to the UK Finance SCA Guidance document section 9 which can be found here.

The RTS require that the two or more authentication elements used result in the generation of a secure authentication code. The recitals to the RTS explain that the authentication code "should be based on solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled".

In addition, for electronic remote payment transactions (e.g. payments on the internet), the authentication code generated must be specific to the amount of the payment transaction and the payee. This is known as ‘dynamic linking’. For more information refer to the UK Finance SCA Guidance document section 8 which can be found here.

The FCA is due to publish its approach document in Q1 2021.

This issue will form part of the wider consultation of the FCA Approach Document which is due in Q1 2021.

No –all the card details currently required will remain. the requirements of Article 7 RTS, the EBA has confirmed that static card details are not sufficient to constitute a possession element for approaches currently observed in the market, although a dynamic CVV meets the requirements for a possession-based authentication element.

For further details refer to the UK Finance SCA Guidance document sections 5.11 which can be found here.

The payment is initiated by paper or telephone (not electronically), notwithstanding that they result in the generation of an electronic transaction.

The EBA has clarified that Interactive Voice Response (IVR) mechanisms may, depending on the precise solution, be treated as MOTO transactions, however, where such technology is used to initiate electronic payment transactions through the internet or otherwise at-distance channels, they will generally be treated as electronic transactions and therefore are in scope of strong customer authentication.

While MOTO is realised through manual “PAN Key” entries, it should be noted that such entries may only be used with genuine MOTO transactions and not, for example, for face to face transactions.

For more information, refer to the UK Finance SCA Guidance document section 2 here.

Password resets are very important and often the precursor to an account takeover attempt. The UK payments industry are continually working to strengthen this channel, including creating dynamic journeys around whether the password can be reset online verses sent out in the post

For more information refer to the UK Finance SCA Guidance document section 18 which can be found here.

The UK Finance SCA Programme has two Engagement Task Forces teams to drive awareness and readiness across the industry.

UK Finance has been delivering a series of free webinars and issuing multiple SCA guidance documents to ensure industry awareness. These webinars can be viewed on demand using this link. To access a variety of SCA Guidance documents, please visit our SCA landing page here.

The SCA communication can be found here and UK Finance hosted a free webinar which can be viewed on demand here.

This can be found here.

The SCA communication can be found here and UK Finance hosted a free webinar which can be viewed on demand here.

The SCA communication on improving outcomes from 3DSecure – Data Consistency, can be found here and the free webinar which can be viewed on demand here.

The SCA communication can be found here.

UK Finance hosted a number of vendor showcase webinars which can be found here.

UK Finance hosted a free webinar discussing Dynamic Linking which can be viewed on demand here.

UK Finance hosted a free webinar discussing Operational Resilience which can be viewed on demand here.

TUK Finance hosted a free webinar discussing the impact on the impact on the travel and hospitality sector which can be viewed on demand here.

Email details can be found here.