Strong Customer Authentication - Frequently Asked Questions

The Strong Customer Authentication (SCA) PMO team has produced these FAQs to aid understanding of SCA. If you have any further questions not answered below, please contact SCAPMO@UKFINANCE.ORG.UK

Strong Customer Authentication (SCA) is a new set of rules that will change how you confirm your identity when making purchases online. Next time a customer shops or banks online, they may need to undertake an extra step to confirm it is really them. This could mean a bank or provider using a number of ways to verify a purchase or login such as a passcode via text message, receiving a phone call to their landline, a card reader or using your banking app on your smartphone. SCA is being introduced to help further reduce fraud. With an increasing number of purchases being made online, these new rules will provide the extra protections necessary to ensure that customers are safe when purchasing online and their money is better protected.

These rules will apply to customers when making an online purchase or banking online. When buying items from online retailers, they may receive a text message from their bank or provider containing a passcode. Customers will then be prompted to enter this code on screen before payment will be taken.

Banks or providers may also offer alternative ways of authenticating. These can include a call to a landline phone, a card reader, or using your banking app on your smartphone.

When using online banking, customers will be asked to verify who they are in a similar way as for online shopping. If the customer banks via an app they may have already provided the authentication needed by using their fingerprint, a code, or facial recognition to log in. Customers may not be asked to prove their identity in this way for every purchase or transaction.

You can find the SCA UK Implementation and ramp up plan here.

This is UK only, the UK Finance SCA Programme team has developed the revised detailed implementation plan and the high-level plan. UK Finance urges all stakeholders active in e-commerce to take note of the various deadlines and the introduction of a gradual SCA ramp up from 1 February 2021 with all journeys starting on 1 June 2021 which will require all parties to be ready by the end of May 2021. The SCA UK Implementation and ramp up plan can be found here.

There will be differing requirements due to the SCA enforcement deadlines of the EU (31 December 2020) and UK (14 September 2021) being different. Please refer to the full UK Finance SCA UK implementation and ramp up plan here. For further details or visit the EBA website.

Yes – for more information see UK Finance SCA Guidance document section 1.2 here. UK Finance will further clarify in our second version of the guidance which will be published in due course.

UK Finance is working with the FCA on an ongoing basis to ensure clarity is provided to the UK market. If there are specific areas of concern, please contact the UK Finance PMO by email scapmo@ukfinance.org.uk.

The original enforcement date was March 2021. The FCA has allowed an extension to 14 September 2021.

However, parties engaged on e-commerce card-based payments need to enable all SCA flows in readiness for the full UK SCA Ramp up due to start on 1 June 2021. The UK Finance SCA UK Implementation and ramp up plan can be found here.

The UK Finance SCA Programme team has developed an industry implementation plan. UK Finance urges all stakeholders active in e-commerce, including e-merchants, to take note of the various deadlines and the introduction of a gradual SCA ramp up which will require all parties to be ready by 1 June 2021 in order to ensure the customer impact is minimal. The full SCA UK Implementation and ramp up plan can be found here.

No, this is not the case – see the full SCA UK Implementation and ramp up plan here.

The expectation is that by 1 June 2021 all ecommerce transactions should comply with SCA. This means ecommerce transactions need to be sent via 3DS or directly to authorisations with the correct flag (exemption or out of scope), but not that all in scope transactions will be subject to full SCA.

The EU enforcement deadline is generally 31 December 2020, and as such testing may need to be in place before the EU deadline comes into force.

Unless a transaction is out of scope or an exemption applies, providers must apply SCA in specified scenarios, i.e where a customer:

a) accesses their payment account online;
b) initiates an electronic payment transaction; or
c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

All electronic payments initiated by the payer are covered by the scope of the SCA requirement, unless one of a limited number of exemptions applies. This scope is broad as it covers both remote and face-to-face electronic payments initiated by the payer and extends to all channels or devices through which initiation occurs, so including payments made through a browser, mobile, in-app, devices using the Internet of Things (IoT), as well as payments made via a terminal where the data extracted in relation to the payment is all electronic. For full details of scope, see UK Finance SCA Guidance document section 2 here.

This can be found in section 2 of the UK Finance SCA Guidance document which can be found here.

Payee or card-based merchant-initiated transactions (MITs) are out of scope of the requirement for SCA and do not need to rely on an exemption. They include direct debits or card transactions, where the transaction is initiated by the payee only.

However, if the authority for the payments is given electronically (such as with online subscription services), then the action of granting the authority will be caught by the SCA requirement under the third 'other action' requirement of SCA.

In certain use cases, the payment authority will have been given on paper and so will be out of scope for that reason.

For more information refer to the UK Finance SCA Guidance document section 2 which can be found here.

For guidance on one leg out transactions refer to the UK Finance SCA Guidance document section 2. which can be found here.

Direct debits of fixed or variable amount that are initiated by the payee only without any direct intervention from the payer are out of scope of SCA, the mandate when created through a specific e-mandate scheme requires SCA. For further information refer to the UK Finance SCA Guidance document section 2 which can be found here.

For more information refer to the UK Finance SCA Guidance document section 2 which can be found here.

SCA means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.

Further guidance on what counts as inherence has been included in the UK Finance SCA Guidance document section 6 and can be found here.

Further guidance on what counts as knowledge has been included in the UK Finance SCA Guidance document section 4 and can be found here.

Card issuers need to determine the best approach to take, within their own security and risk appetites. The FCA has indicated a preference for the industry to prioritise strategic solutions. For further guidance, refer to the UK Finance SCA Guidance document section 4 which can be found here.

Further guidance on what counts as possession has been included in the UK Finance SCA Guidance document section 5 and can be found here.

In the context of card-based payments SCA-compliant transactions can be sent directly via authorisations (where relevant) as long as they are flagged correctly (with an exemption or as out of scope).

The focus of the rollout is a technology called 3DSecure which will help to facilitate the authentication of the majority of card-based transactions. However, there are other SCA compliant solutions available in the market, such as those provided by Payment Initiation Services (e.g. through Open Banking), Apple Pay or Google Pay as well as other potential solutions.

UK Finance produced a webinar which can be viewed on demand and discusses 3DS in greater detail and the differences between the versions of 3DS. It can be found here.

No – 3DS is not mandatory. 3DS enables the issuer authentication and usage of exemptions for ecommerce transactions, however ecommerce transactions can still be sent directly via authorisations in a complaint manner as long as they are flagged correctly.

There are other solutions available, the focus of the rollout is a technology called 3DSecure which will help to facilitate the authentication of the majority of card-based transactions. However, there are other SCA compliant solutions available in the market, such as those provided by Payment Initiation Services (e.g. through Open Banking), Apple Pay or Google Pay as well as other potential solutions.

Issuers will only decline/soft decline non SCA-compliant transactions. SCA compliance can be achieved via 3DS or by sending transactions directly to authorisations with the correct flag.

From 1 February 2021 issuers should begin a gradual activation of various transactions and SCA step ups commence.

Commencing 1 June 2021 until 14 September 2021 there will be a full ramp up to SCA, meaning all parties need to be ready to comply with every aspect of SCA by 31 May 2021.

From June 2021 transactions will be randomly checked by issuers on an increasing basis to determine whether they are SCA compliant and may be soft declined if they are not.

From 14 September 2021 – full SCA enforcement will be in place.

UK Finance cannot mandate any particular solution and it is the decision of each Payment Service Provider (PSP) as an issuer to define their authentication solutions and to satisfy their own security requirements and risk appetites. The majority of issuers will be leveraging their mobile apps in order to authenticate most customers but need to provide alternatives that work for customers.

For more information refer to the UK Finance SCA Guidance document sections 4 and 5 which can be found here.

Behavioural biometrics have been used for risk profiling historically. However behavioural biometrics as an authentication factor is relatively new, and issuers are encouraged to engage the different suppliers in the market as part of their risk assessment. Behavioural biometrics are already being utilised in online banking as part of risk-based authentication strategies.

Data maturity is one of the key challenges for any behavioural based approach, and any approach needs to be consistent with the principles proposed by UK Finance and the regulator. The number of transactions and information required to build an acceptable profile will depend very much on the issuer’s solution and risk appetite.

The FCA has acknowledged that behavioural profiles will take time to be established and results will be weaker in the first instance.

However, the recommended industry position is the use of behavioural biometrics as the second factor in authentication, with no fall back (for scenarios where the use of behavioural biometrics is not feasible). The Financial Conduct Authority supports the development of strategic solutions that are good for customers and businesses and has welcomed the industry’s suggestion to focus on behavioural biometrics as second factor to an OTP solution

Based on this June 2019 EBA Opinion the minimum viable proposition (MVP) recommended is for issuers to leverage 3DS flows and integrate their chosen behavioural biometric solution via the ACS provider (if applicable).

Issuers, can, however, work with their ACS and behavioural biometric suppliers to enhance current 3DS flows so that extra customer data (e.g. email address or cardholder name) is captured providing additional data for enhanced behavioural biometric profiling.

Issuers will need to ensure that their final implementation solution complies with all the relevant requirements.

Ensure that data collected and processed as part of their chosen solution meets the minimum standards set by the EBA and in compliance with the FCA’s requirements set out in its Approach Document.

UK Finance has produced a second factor guidance document with more details, this can be found here.

UK Finance encourages issuers to review, with the relevant vendors, the different scenarios required to enable behavioural biometrics as it will depend very much on the supplier’s solution and issuer’s risk appetite. There are a number of free pre-recorded vendor showcase webinars available to view which can be found here.

UK Finance cannot endorse any solution or class of solutions. UK Finance and the FCA support strategic solutions for the industry and have done extensive work with the industry on the risks and benefits of particular solutions. It is the responsibility of PSPs to find their own solutions depending on their own circumstances and risk/security appetite.

The FCA has acknowledged that this will be a gap for day 1 – for more information see the Strong Customer Authentication: Considerations for what can be used as a second factor alongside One Time Passcode (OTP) here.

The European Banking Authority (EBA’s) Opinion in June 2019 clarified that card details could not be considered a valid factor. This position has an impact on card issuers using an OTP solution, sent by text or via landline when the solution relies upon possession as one factor (the OTP sent to the customer’s pre-registered mobile device or landline proves that the customer is in possession of the mobile device or landline).

As a result, card issuers will require a second factor (either inherence or knowledge) over and above the OTP solution to comply with SCA.

With the introduction of SCA, there is a need for participants within the payments ecosystem to be cognisant of the wide variety of consumers and the ways in which they access goods and services. While the move to digital continues to make advancements, issuers are asked to consider alternative authentication options available to consumers who have poor mobile reception, making it difficult for them to receive an SMS OTP in the context of authentication. Equally there will be some consumers who choose not to have a mobile phone or specifically those without smartphones where other approaches such as authentication via a mobile app may inhibit a consumer from performing an e-commerce transaction. It must be acknowledged that not all customers are able or chose to use biometric solutions.

However, issuers have the flexibility to define the best authentication solutions.

There is a full list of exemptions and more information in the UK Finance SCA Guidance document section 9 which can be found here.

Exemptions will be applied by the payer’s PSP (ASPSP) where required. A number of exemptions can only be applied by an authorised or registered PSP. The term ‘PSP’ includes issuers, acquirers or other authorised parties (as defined under PSD2) in the payment chain. Merchants cannot apply SCA exemptions in their own right. For more information refer to the UK Finance SCA Guidance document section 9 which can be found here.

For more guidance on SCA exemptions, refer to the UK Finance SCA Guidance document section 9 which can be found here.

The RTS require that the two or more authentication elements used result in the generation of a secure authentication code. The recitals to the RTS explain that the authentication code "should be based on solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled".

In addition, for electronic remote payment transactions (e.g. payments on the internet), the authentication code generated must be specific to the amount of the payment transaction and the payee. This is known as ‘dynamic linking’. For more information refer to the UK Finance SCA Guidance document section 8 which can be found here.

The FCA is due to publish its approach document in Q1 2021.

This issue will form part of the wider consultation of the FCA Approach Document which is due in Q1 2021.

Visa 3DS1 transactions will be compliant with dynamic linking with the implementation of CAVV Us3 V7. The Mastercard position on Mastercard 3DS1 transactions was confirmed in its Authentication Guide published in November 2020.

UK Finance cannot comment on behalf of the schemes. However, for further information on dynamic linking, please refer to the UK Finance SCA Guidance document section 8 which can be found here.

There are several use cases where the final amount is not known at the time of authentication. The most common use case is online grocery shopping where an item is switched out for a different brand/weight at the point of authorisation, which may be several hours after authentication by the customer.

In respect of a name change, it has been agreed at UK industry level that the EBA Q&A 2018_4556 means that no change to the status quo is needed; that the authentication code (Cryptogram) is specific to the payee and cannot be intercepted or broken during the ‘life’ of the transaction.

In respect of the amount change, this differs depending on whether the amount decreases or increases. In respect of amount decreases current FCA guidance confirms that this will not invalidate the authentication code.

The question in respect of amount increases will be confirmed in the FCA's consultation to its Approach paper. The UK industry view is that an amount increase does not invalidate the authentication code. We have shared this view with the FCA. The FCA will give its direction in the consultation to its Approach document which will be published in the next few months.

This information can be found in the scheme documentation. This level of detail is of a technical nature and as such will not form part of any UK Finance guidance. Please refer to the schemes for further information.

UK Finance guidance on Dynamic Linking was issued in October and updated in December and includes details on what each party (e.g. merchant, acquirer, issuer) must do for readiness and/or compliance with Article 5. FCA confirmation will come in the consultation to its Approach document which is due in Q1 2021. The UK Finance SCA Guidance document can be found here.

However, this only covers the UK approach; there may need to be significant changes for a party which operates across UK-EEA e.g. UK merchants selling into EEA or card issuers with a UK book and EEA book. This is because a competent authority in an EU Member State may have a different view of enforcement of dynamic linking to the FCA.

We understand that EBA accepts that the merchant name can differ in authentication and authorisation. Hence issuers may accept transactions where the merchant name differs.  There may also be instances (for example in the hotel and travel sector) where multiple merchants are involved (i.e. one at authentication, two or more at authorisation (one for each involved merchant).  For more information in respect of these scenarios, refer to the EBA Q&A 2018_4556, scheme documentation for travel & hospitality and UK Finance SCA guidance here.

UK Finance recommends the e-merchant is not checked as otherwise around 30 per cent would fail. In our view EBA endorsed this approach.

Dynamic linking is required whenever SCA is performed for remote transactions. So if the customer is required to complete SCA during these transactions dynamic linking is also required. For further information refer to the UK Finance SCA Guidance document here.

There are no common rules for identity linking; please refer to individual scheme mandates for linking identity.

UK Finance has explained the process to the FCA (including Man in the Middle attacks - MIM). Its direction will be confirmed in the consultation to its Approach paper in Q1 2021.

There is no ongoing UK Finance or EBF discussion with the EBA on upwards tolerance; the EBA's Q&A 2020_5133 was its final response.

Yes, this is possible. For more information on dynamic linking please refer to the UK Finance SCA Guidance document section 8  here.

Dynamic linking is required whenever SCA is undertaken on remote payment transaction. If a customer is stepped up in the low-risk flows, the dynamic linking requirements will also kick in at that point, but this will not be enforced until September 2021.  For further information refer to the SCA Implementation and ramp up plan here.

MIT is seen as an acceptable alternative to comparing the amounts and to building a tolerance here.

Hotels often use third parties to authenticate and the payment is processed separately which will lead to authentication on one merchant ID and payment taken on another. This works because the unique authentication data (AAV, DS Transaction ID) can be re-used by multiple authorisations and different acquirers here.

The compliance of a transaction against SCA requirements will be down to the treatment of that transaction, not simply that a party is 3DS2 enabled here.

Card present transactions (e.g Chip & PIN) do not require dynamic linking. For further information of the scope of SCA refer to the UK Finance Guidance document section 2 here.

There is an established payment scheme practice of allowing a price rise tolerance and this is usually explained as being within the customer's 'reasonable expectations'. In respect of what merchants, acquirers and issuers must do to  establish and apply 'reasonable expectations' for dynamic linking, please see Chapter 8 of the UK Finance SCA Guidance document here. 

No, each scheme has different data elements that are relevant for dynamic linking. Please refer to the scheme manuals for further information here. 

No –all the card details currently required will remain. the requirements of Article 7 RTS, the EBA has confirmed that static card details are not sufficient to constitute a possession element for approaches currently observed in the market, although a dynamic CVV meets the requirements for a possession-based authentication element.

For further details refer to the UK Finance SCA Guidance document sections 5.11 which can be found here.

The payment is initiated by paper or telephone (not electronically), notwithstanding that they result in the generation of an electronic transaction.

The EBA has clarified that Interactive Voice Response (IVR) mechanisms may, depending on the precise solution, be treated as MOTO transactions, however, where such technology is used to initiate electronic payment transactions through the internet or otherwise at-distance channels, they will generally be treated as electronic transactions and therefore are in scope of strong customer authentication.

While MOTO is realised through manual “PAN Key” entries, it should be noted that such entries may only be used with genuine MOTO transactions and not, for example, for face to face transactions.

For more information, refer to the UK Finance SCA Guidance document section 2 here.

Password resets are very important and often the precursor to an account takeover attempt. The UK payments industry are continually working to strengthen this channel, including creating dynamic journeys around whether the password can be reset online verses sent out in the post

For more information refer to the UK Finance SCA Guidance document section 18 which can be found here.

The UK Finance SCA Programme has two Engagement Task Forces teams to drive awareness and readiness across the industry.

UK Finance has been delivering a series of free webinars and issuing multiple SCA guidance documents to ensure industry awareness. These webinars can be viewed on demand using this link. To access a variety of SCA Guidance documents, please visit our SCA landing page here.

The SCA communication can be found here and UK Finance hosted a free webinar which can be viewed on demand here.

This can be found here.

The SCA communication can be found here and UK Finance hosted a free webinar which can be viewed on demand here.

The SCA communication on improving outcomes from 3DSecure – Data Consistency, can be found here and the free webinar which can be viewed on demand here.

The SCA communication can be found here.

UK Finance hosted a number of vendor showcase webinars which can be found here.

UK Finance hosted a free webinar discussing Dynamic Linking which can be viewed on demand here.

UK Finance hosted a free webinar discussing Operational Resilience which can be viewed on demand here.

TUK Finance hosted a free webinar discussing the impact on the impact on the travel and hospitality sector which can be viewed on demand here.

Email details can be found here.