SCA: What it means for subscription merchants

On September 14, 2019, Strong Customer Authentication (SCA) requirements will take effect in the European Economic Area (EEA). These new requirements are part of the revised Payment Services Directive (PSD2) regulations and require that additional authentication measures to be taken for certain online transactions. 

What is SCA?

Strong Customer Authentication (SCA) is the new European Economic Area (EEA) regulatory directive that requires multi-factor authentication for online transactions to reduce fraud. For a transaction to be approved, customers must be authenticated with at least two of the following three elements:

  • Knowledge – something the customer knows (ie. password)
  • Possession – something the customer has (ie. phone)
  • Inherence – something the customer is (ie. fingerprint)

Who is impacted by SCA?

SCA is required on card transactions where both the merchant’s bank (“acquiring bank”) and the bank issuing the customer’s card are located within the European Economic Area (EEA). 

The countries located within the EEA are: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. 

SCA will not be required for transactions where the card is issued outside of the EEA or if the merchant contracts with an acquiring bank outside of the EEA.

SCA and Recharge Payments

The good news for anyone using Recharge is that we are doing the work to ensure our checkout and recurring transactions are SCA compliant and minimal to no amount of work is required by the merchants.

1. Does it matter which payment processor I use?

  • Stripe – At this time, no action is required by merchants to be SCA compliant with Recharge.
  • Braintree – At this time it is recommended that you email Braintree to determine if SCA impacts you. If impacted, then send an email to Braintree requesting that they enable 3D Secure 2 on your Braintree account. 3D Secure 2 is required to be SCA compliant.
  • Authorize.net – Please contact your Authorize.net representative for further details. In many cases, we have already been in touch with merchants located in the EEA and using Authorize.net about next steps.

2. How will Recharge checkout work?

Recharge has configured the checkout to handle SCA requirements.

In the event SCA verification is required for a checkout transaction after a customer has entered their card details, then a modal window will be displayed for the customer to authenticate the payment. After the customer authenticates the transaction, the purchase will be completed. 

3. How will Recharge recurring charges work?

Recharge has configured the recurring charges to handle SCA requirements.

We expect that recurring charges will NOT require SCA verification since the transactions are identified as “merchant-initiated.” Merchant-initiated transactions fall outside of the scope of SCA and thus do not require authentication.

In the event SCA verification is required for a recurring charge, an email notification will send to the customer with a link to re-authenticate the payment. The customer will click the link, re-authenticate the payment, and then the charge will be processed.

4. How will Recharge customer portal card updates work?

Recharge has configured the customer portal card update pages to handle SCA requirements. 

In the event SCA verification is required when a customer is updating their card, a modal window will be displayed for the customer to authenticate their card. After the customer authenticates their card, it is saved for future recurring charges.

5. How will the Recharge API work with SCA?

If your merchant account (or bank account) is located in the EEA AND you sell to customers in the EEA AND you use A) the Recharge Checkout API OR B) the Recharge Customer API to create customers with payment gateway tokens, then you’ll need to implement SCA compliant workflows in your application. Please consult your payment processor for the relevant documentation and whether it is required. 

Phased Implementation

Most national regulators in the EEA have made public announcements to extend the timeline of enforcement beyond September 14, 2019 to allow more time for the banks and payment industry to become compliant. This means that there will be a gradual implementation of SCA verification and customers experiencing the requirement of multi-factor authentication.

Recharge is taking all the necessary steps for merchants to be SCA compliant on the Recharge platform before the September 14, 2019 enforcement date. We look forward to continuing to develop solutions to support our merchants staying compliant so you can continue focusing on growing your subscription business.