Is Spiffy compliant with SCA regulations?

Yes, Spiffy is already fully supporting the new Strong Customer Authentication (SCA) regulations that were scheduled to go into effect on September 14th, 2019.

Although the deadline for required enforcement of the SCA regulations has been pushed back 18 months, it’s still a best practice to start using SCA verified transactions as soon as possible. Various countries will choose to enforce SCA before the extended 18 month deadline by the EU. Click here on more information on this directly from the FCA.

No extra action or setup is required. All accounts support SCA verified transactions by default. Here is more information on the SCA Stripe integration.

Preview

This is what your customers will see when SCA verification will be required.

Note: Above screenshot is taken in Test Mode.

Customer Portal

If your customer has orders that are pending 3DS authentication, they can see this in the Customer Portal and can initiate the authentication process from within the portal.

In the case of SCA verification failure, users will see a failure notice:

We haven’t seen any edits for a while. Still working?

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is an EEA/EU regulation meant to make online, card-not-present payments more secure, and prevent fraud. The regulation is requiring online sellers to implement more stringent methods of validation to ensure the payments they are taking are in fact a verified transaction. It falls into the category of multi-factor authentication, which is a best practice for accessing online accounts with sensitive information. 

These new rules and regulations mean customers will have to approve online payments through a second level of authorization, also known as Two-Factor Authentication (2FA).

Under SCA, companies will have to verify a customer’s identity by two of the three following elements: something the customer possesses (ex: the credit card itself, a mobile device or smart card); something only the user knows (ex: such as a password or PIN); and something that the user is (ex: which means biometrics such as a fingerprint or facial scan).

Essentially, it brings it closer to in-person payments, where having the card and knowing the PIN satisfies two of those three elements.

Who is affected by SCA?

The regulation is intended to apply specifically for transactions where  both the cardholder’s bank and the business accepting the transaction are located in the European Economic Area. If you are based outside the EU, or your customer base is not in the EU – then you should be unaffected by the SCA regulations.

From Stripe’s website:

Prepare for SCA and update your Stripe integration if all of the following apply:

– Your business is based in the European Economic Area (EEA) or you create payments on behalf of connected accounts based in the EEA
– You serve customers in the EEA
– You accept cards (credit or debit)

It’s important to note that no one really knows exactly what the impact of these new regulations will be, and who exactly will be affected, before they are actually enforced.

We will do our best to ensure that we are up-to-date on any changes to the SCA regulations, and to ensure our SCA support meets all best practices.

How will things change for my EU customers?

If your customer is in the EU, and you are a SCA qualified business, when they go to make a purchase their bank card will require an additional step before the transaction is successful. They will be prompted to authenticate their purchase in the checkout process.  For subscriptions, Strong Customer Authentication (SCA) will require an additional step of customer authentication.  Even if they authenticated in the past, the new SCA regulations may require your customer to come back online and re-authenticate a future payment too. We’ve built Spiffy to be able to handle these types of failed payments, and make it easy for your customers to verify failed payments due to SCA verification.

If your customer’s bank requires re-authentication we will send that customer an email on your behalf prompting them to re-authenticate.  Additionally, in the SamCart dashboard you will be able to see customers whose subscriptions failed because they failed to re-authenticate.

What do these new SCA regulations mean for my existing subscriptions?

It seems there will be a grandfathering of existing subscription, where they will be allowed to continue processing without SCA verification, but we can’t be certain. Even if a customer authenticated in the past, SCA may require your customer to come back online and re-authenticate.  This is why we are encouraging all of our customers to adopt these new standards and regulations before they go into full force. There are a list of SCA exemptions that say subscriptions for a set price may not need to be reauthenticated.

We expect certain countries to enforce these new regulations before they are required to. This would allow you to work through any SCA issues coming from a very small percentage of your user-base, rather than waiting until the deadline and potentially having a much bigger problem to deal with.

Resources and Other Information on SCA

1. https://stripe.com/guides/strong-customer-authentication
2. https://www.fca.org.uk/firms/strong-customer-authentication
3. https://www.fca.org.uk/news/press-releases/fca-agrees-plan-phased-implementation-strong-customer-authentication
4. https://en.wikipedia.org/wiki/Strong_customer_authentication
5. https://www.fca.org.uk/consumers/strong-customer-authentication
6. https://www.jpmorgan.com/europe/merchant-services/insights/psd2-are-you-ready-for-strong-customer-authentication-sca