SCA 101: What You Need to Know About the European Regulation
Updated: August 2022
Our Stripe Connector has been updated and is now fully SCA-compliant. The connector now uses Stripe’s updated Payment Intents (formerly Charges) and Setup Intents (formerly Subscriptions) aliases. All existing or new Stripe connectors will be automatically updated to be SCA-compliant and will begin using authentication methods if required by the respondent’s bank. These updates do not affect existing Stripe aliases or current Stripe Connector setups and do not require you to take any action to enjoy the benefits of the update.
When does SCA go into effect?
While September 14, 2019 marked the official introduction of this regulatory requirement, the European Banking Authority announced an enforcement delay in June of 2019. In October 2019, the EBA announced December 31, 2020, as the official enforcement deadline. While many countries have agreed to this deadline, the UK and Switzerland will be enforcing the deadline on September 14, 2021.
Explaining SCA, PSD2, and 3DS2
SCA (Strong Customer Authentication) is a new requirement that’s part of Europe’s PSD2 (second Payment Services Directive). The requirements apply to both EU (European Union) and EEA (European Economic Area) member states.
SCA applies to “customer-initiated” digital payments made in Europe, where the cardholder’s bank and the business requesting the payment are in the EEA. Many financial institutions in the U.K. already ascribe to SCA and will likely continue to do so, regardless of how Brexit pans out.
In accordance with these new regulations, banks must start requiring additional authentication steps for applicable payments in the form of two of the three following elements: something the customer knows, has, or is. As a business, you may need to add additional authentication steps to your payment processes to be in compliance with SCA requirements.
To meet the authentication requirements and comply with SCA, you will also need to ensure that your payment methods allow for 3D Secure 2 (3DS2). This is an updated, more user-friendly version of the previous 3D Secure protocol, which enables a post-checkout step in a payment process that asks for additional authentication information.
How FormAssembly helps you with compliance
While FormAssembly itself is not required to do anything to comply with the PSD2 or SCA, we support several payment connectors for our forms and understand that many of our users are concerned with SCA requirements.
We want to help you navigate which payment connectors are compliant and make you aware of upcoming changes we will be making to our payment connectors, so that, combined with information from individual payment processors, you can make the best choices for your organization.
If you know that you need to comply with SCA or if you are concerned about it, you can offer our PayPal Connector or Stripe Connector on your forms. These connectors will allow SCA-compliant payments for European users and users who have European customers.
Authorize.Net does not have plans to be compliant, but through our communication with them, we have learned that EU Authorize.Net users will be migrated to CyberSource instead. Similarly, we have confirmed with iATS and Chargent that they have no immediate plans to be compliant.
As evidenced from the many groundbreaking data privacy and security regulations in the EU, U.S. and elsewhere, the need for compliant, secure data processing solutions will only grow, and we urge you to join us in letting these non-compliant payment processors know if their compliance is important to you.
Note: If your organization is not required to comply with SCA or PSD2 requirements, namely, if you do not process payments from European residents, you can continue to use our payment connectors as usual.
Get your SCA questions answered
While some questions may be better answered by individual payment processing solutions, we welcome you to submit any questions you have about your FormAssembly forms that accept payments to our support team. As always, we remain dedicated to helping you navigate the evolving landscape of data security and privacy and maintain compliance with even the strictest regulations.