What is SCA (Strong Customer Authentication)?

This matters quite a bit for your business. It gets much harder for customers to claim they never authorized a transaction when they have to verify their identity through two or more authentication checks. If a person has to enter their password and then confirm it with their fingerprint or a text message code, they can’t just say “that wasn’t me” later on.

Europe has seen pretty impressive results. Before SCA rolled out, unauthorized transaction claims were one of the biggest problems for merchants. Unauthorized transaction claims have dropped quite a bit since customers now have to complete more verification steps to finish their purchases. It’s much harder to dispute a charge when the bank can show that you entered your PIN and approved the transaction on your phone.

This extra layer of protection works for everyone. Customers feel safer because fraudsters can’t just steal their card number and make unauthorized purchases. At the same time merchants get better protection against actual fraud and false claims of fraud. Banks now have an authentication trail that creates evidence the right person made the payment.

How It Works

Strong Customer Authentication works by checking three different types of proof before it lets a customer finish a payment. Businesses use three separate categories because each one catches fraudsters who already have some customer information.

Something your customer actually knows in their head makes up the first type of proof – like a password they’ve memorized or a PIN that they enter into the ATM. Payment providers sometimes add security questions on top of this, asking about personal bits of info which only live in that person’s memory. Hackers can’t just grab information locked away in someone’s brain and that’s the whole point behind this category.

Something your customer physically owns and carries around with them forms the second type of proof – this could be their smartphone that receives a text message with a one-time code or maybe a banking app which generates fresh numbers every few minutes. Some banks mail out little card readers or token devices that customers have to use when they check out. This physical device has to be in their hands when they want to buy something.

Biometric data provides the third type of proof – we’re talking about what your customer physically is. Smartphones have made this pretty popular since customers can just touch their finger to the screen or look at their camera to approve a payment. Voice recognition shows up more and more too. These physical characteristics are ones which belong to just one person and they’re almost impossible for criminals to copy or steal.

Most payment systems will ask customers for two of these three types of proof. Your customer might type in their password and then scan their fingerprint on their phone to finish the transaction or they’ll enter their PIN and wait for a text message code to arrive. I see this double-checking setup everywhere because it creates multiple layers of protection which all work separately from one another.

How it Affects Chargeback Prevention

SCA actually helps merchants fight chargebacks in ways that might shock you. Customers going through the verification process with multiple authentication methods create an easy-to-follow paper trail that merchants can use later when disputes come up.

Merchants lie awake at night worrying about those dreaded “I didn’t make this purchase” chargebacks. With SCA in place, customers have to authenticate themselves before completing any transaction and it makes it much harder for them to later claim the purchase wasn’t authorized. All the evidence is right there in the authentication records.

European laws take this protection one step further. Merchants who follow SCA laws see the liability for a lot of types of fraud move away from them and it means that they’ll face fewer losses from fraudulent transactions and much better protection for their business as a whole.

Merchants see fairly strong results. Merchants who use SCA correctly usually see their chargeback ratios drop quite a bit. Friendly fraud gets much less common because customers know that the authentication process leaves a trail behind. Disputes that do happen give merchants way stronger evidence to defend themselves with.

Some businesses report that their unauthorized transaction disputes drop by half or more after they start the right authentication. Others find that their dispute rates improve enough to qualify for better payment processor rates and terms. These improvements translate directly into saved money and far fewer issues for the merchant.

Example Scenarios

A few weeks later that same customer tries to dispute the charge and you have some proof that they actually authorized the transaction. Any dispute is much easier for you to win as the merchant since the bank can instantly see they completed the authentication process.

Of course not every transaction actually needs that full authentication process. Subscription service customers who pay you $9.99 every month like clockwork. After their very first payment goes through with the full authentication, those recurring charges usually skip the extra verification steps. Your payment processor recognizes the established pattern and applies the exemption automatically. Your customer gets a smooth, frictionless experience while you still get some protection against possible disputes.

Different businesses see different authentication patterns as well. Software businesses may have to run authentication for the first buy but then allow add-ons or upgrades to process without any extra verification steps. Online retailers might need authentication for orders above a dollar amount but let smaller purchases flow through without any friction. You want to balance convenience for your business model and make sure the authentication trail stays ready whenever disputes come up.

Requirements and Timeframes

Strong Customer Authentication (SCA) laws apply to any business that processes payments from customers in Europe – that’s all EU countries and Norway, Iceland and Liechtenstein. Most merchants don’t realize that it doesn’t matter where your business is actually located – if your customer’s bank is in one of these countries, you need to follow SCA laws.

Most payment transactions do need SCA compliance. A handful of exceptions can make the process easier. Any transaction under 30 euros skips the extra verification steps altogether. Subscription payments work a bit differently – SCA only applies to the very first charge when a customer signs up and every recurring payment after that can skip the extra verification. Low-risk transactions under 500 euros might also qualify for an exemption and your fraud rates will decide if you’re eligible. Your payment processor will take care of these exemption decisions automatically, so you won’t have to review each transaction yourself.

Each European country rolled out its SCA laws at a different pace and this enforcement timeline created a lot of issues for merchants. Britain was slower and didn’t finish full enforcement until March 2022 but France and Italy wrapped up their transition periods around that same window. To make matters even more confusing, some countries were extremely strict from day one but others were more lenient and gave merchants much longer grace periods to update their payment systems.

SCA law violations give you financial problems and I see merchants underestimate how fast these problems can add up. Banks automatically decline transactions that should have SCA authentication but don’t have it. That means you lose sales instantly. Even worse, you also lose all chargeback protection on payments that skip the SCA steps. If a customer disputes one of these charges then you’ll automatically lose the case no matter what happened. Card networks can also impose fines for repeated SCA violations and these penalties will increase faster if you don’t fix the compliance gaps.