Strong Customer Authentication: what is going to change?

Strong Customer Authentication: what is going to change?

Strong Customer Authentication: what is going to change?

The payments space is changing, and with that, so are the security regulations around it. 

To remain hygienic throughout the pandemic, most stores will only accept contactless payment. This move comes on the back of payment habits in a pre-pandemic world. In 2019, there was an uptick in card payments, with many claiming that the UK were en-route to going cashless anyway. In 2020 because of Covid, cash payments also dropped by a further 40%.

To keep up with the growing stream of payments, security measures must be ramped up and will need to be of a high standard. This is where the European Banking Authority’s decision to roll out its Strong Customer Authentication (SCA) regulation comes in.

In September 2019, the Financial Conduct Authority decided to manage the implementation of Strong Customer Authentication during 2021. This is in direct opposition to other European countries that have already attempted to put the new regulation in place by the end of 2020.

SCA was designed to further reduce fraud and protect customers who shop online. With e-commerce expected to rise by 276.9% globally until 2023, and new payment methods on the horizon, it was important to make sure that the user's identity is protected when making transactions.

What exactly is Strong Customer Authentication (SCA)?

SCA was originally mandated by the Revised Directive on Payment Services. It means that merchants have to integrate a two-factor-authentication (2FA) solution into their transactions in order to authenticate payments.

The European Union (EU) is eager to fully implement the PSD2 Strong Customer Authentication (SCA) standards this year.

The initial thought behind the new legislation was to make the use of Open Banking for customers easier, and to help fintechs present the users with sleek and secure financial alternatives.

What exactly is going to change?

In the past, customers would pay using only their card number and their CVC verification code.

At the moment, card providers are using an authentication tool called 3D Secure 1. It works based on a code entered when doing an online payment. This is to make sure that the user really is who they say they are. With 3D Secure 2, SCA Information is being collected at the time and place of the transaction.

Now with the new PSD2 regulation which encompasses SCA, the customer will be required to provide further identification information.

SCA uses dynamic data to prove the authenticity of the user. Customers can now combine,

  1. ‘Something they know’ such as a password, pin, number series or secret question along with;
  2. ‘Something that they own’, such as a smartwatch, phone, smartcard, token or a badge;
  3. and on top of that, the user must add ‘something personal’ such as a fingerprint, face ID, voice imprint or DNA signature. 

This is called multi-factor authentication.

With SCA and 3DS2, dynamic data points are used to confirm the identity of the user. Even though the number of authentication points is higher, the possibility of choice for the customers leads to a better authentication experience and fewer drop-offs from going through the payment process.

Are there any exceptions?

There are some exceptions for transactions that involve small amounts which carry a smaller risk. Plus, transactions that recur do not require more than one strong customer authentication action. If customers add companies to a whitelist of trusted payees, they can also pay those without having to go through 3D Secure verification and paying fees.

What will happen to the user experience with 3D Secure 1 now that we have SCA?

Thanks to Strong Customer Authentication, the clunky 3D Secure 1 will be optimised. Instead of generating passwords, the user can now authenticate simply with a smile or a fingerprint. 3DS2 uses APIs to exchange the authentication data with banks and integrate it into websites and applications seamlessly while also fulfilling the SCA requirements. 

What are the downsides of SCA?

It could create frustration and cause delayed or abandoned transactions as more authentication steps are required to complete payments. 

Many businesses are not ready for the SCA deadline or do not fully understand all the responsibilities. If they haven't implemented SCA in time, they will potentially face a decline in sales, as the customers will not be authenticated and won’t be able to transfer money.

Furthermore customers who rarely buy goods and services online and who are looking for an efficient customer experience might not like a huge authentication process. This could lead to disappointment and lack of motivation when facing the multiple authentication steps of SCA.

Our thoughts on SCA

At tomato pay, we are glad that the implementation of SCA will reduce the risk of fraudulent payments. Over 3.4 million people are victims of fraud every year in the UK. As we move into the payments space, SCA is something we are considering through every step of our building process in-house. Although regulation is feared by some, we look forward to seeing how SCA will further improve the trust between customers and the fintechs handling their money.

To find out more on tomato pay thoughts on SCA, please contact Lisa at

Community has never been as important as it is today, and watching the business and sole trader community struggle throughout the past year has spurred us on to take a more community-led approach to our business.

tomato pay is a simple, QR-code based payments and invoice app powered by Open Banking and built on our tomato pay API platform which offers both AIS and PIS capabilities.

Businesses and sole traders can benefit from our low-cost QR-code payments solution with no hidden fees, which saves them money compared to their current payment systems, gives them instant access to their money as cash settlement happens almost immediately, and access to all of their bank accounts in one place.

Businesses and sole traders can benefit from our quick and easy invoice solution. Invoices can be created within the app, with the option to give discounts and late penalties (pre-built into the app using gamification and behavioural science) and send nudges to remind customers and clients to pay. Plus, as you connect your bank account, payments are embedded within the app - so no need to give your bank details, and receive money owed instantly into your account.

Everyone can support their local communities thrive by paying their neighbourhood businesses in a cashless, hassle-free way.