Articles on: Privacy & Data Security

Do I need to do anything about Strong Customer Authentication (SCA)?

Strong Customer Authentication, or SCA, is a European regulation that was introduced in September 2019, designed to make payments made online by credit or debit card more secure in the European Economic Area (EEA) and the UK. It helps to verify cardholders and reduce the chance of fraudulent transactions. If you would like to read the original SCA requirements, they are set out in the Regulatory Technical Standards or RTS. Banks and card issuers must decline payments that require SCA and don’t meet these criteria.

It is particularly relevant to those of you that are taking payment via the WriteUpp and the Square or Stripe integrations. You can find more information about SCA and the background by heading over to our blog.

From a practical perspective, there's nothing you need to change or think about when it comes to accepting online payments for invoices or prepayment for online bookings. The functionality required to handle SCA is built into both the Square and Stripe integrations via WriteUpp and will automatically be handled as part of a payment.

How does it work?

SCA requires authentication of online payments to use at least two of the following three categories:

Something only the client knows, such as a PIN code or password
Something only the client possesses, such as their mobile phone
Something only the client is, like fingerprint or face recognition

3D Secure 2, an authentication standard supported by most European cards, is the main method used by both Square and Stripe for authenticating card details and meeting the SCA requirements.
3D Secure 2 allows additional information on a transaction to be sent to the card issuer, along with the payment details. This might include data such as the client’s device ID or previous transaction history.

The card issuer then uses this information to assess the risk level of the transaction and to select one of two possible payment flows:
If the data is enough for the card issuer to trust that the cardholder is making the purchase, the transaction goes through the “frictionless” flow and no further authentication is required.
If the card issuer decides that additional authentication is required, the transaction is sent through the “challenge” flow and the client is prompted for additional information to authenticate the payment.

It’s important to note that the customer’s card issuer, not Square, Stripe or WriteUpp, will determine what flow applies to a transaction. Therefore, clients won’t always see the request for additional information as it will be applied on a transaction by transaction basis. If a client is experiencing issues with a challenge flow, they should contact their card issuer for support.

Possible implications

SCA does not just apply to transactions processed via WriteUpp and Square or Stripe but to most online transactions made with a credit or debit card. It’s been fully enforced in the UK since March 2022, so it should be a familiar sight for clients who are used to making online payments.

If clients are not used to this process, and you introduce online payments, you may find that some have difficulty paying your invoices online while they become familiar with SCA. As a result, you may see an increase in payments by cash, BACS transfer or cheque, rather than online. You might also field additional questions about the payment process if you choose to capture prepayment via online booking. However, as clients get used to SCA and how to use it, normality should quickly resume.

Please don't hesitate to grab us on live chat if you have any further questions about SCA!

Updated on: 07/11/2022

Was this article helpful?

Share your feedback


Thank you!