What you need to know about Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is a new European regulation that went into effect in September


Last updated on September 24, 2019

What is SCA?

Strong Customer Authentication (SCA) is a new European requirement that went into effect on September 14, 2019 to make customer-initiated online and in-app payments more secure in the European Economic Area (EEA).

Currently, when paying online, customers need to enter their card number, expiry, CVV, and postal code to make a payment. When SCA enforcement begins, any website or mobile app accepting customer-initiated payments will have to pass additional information about the customer to their payments provider (in your case, Square). Payments without this additional authentication will be declined by the cardholder’s bank.

Do I need to support SCA?

SCA will be required for all customer-initiated online and in-app payments within Europe, where both the business taking the payment and the cardholder’s bank are in the European Economic Area (EEA). In other words, if you operate an online/in-app business based in the EEA and have customers who are also in the EEA, your transactions will need to be SCA compliant . Also note that SCA will apply regardless of Brexit in the UK.

The Financial Conduct Authority (FCA) recently announced it will delay the full enforcement of SCA by 18 months to March 2021, by which time all banks, retailers, and payment providers are expected to be fully compliant. Despite this enforcement delay, the FCA still expects payment providers to start rolling out new measures in a staggered approach, and some banks may begin enforcing SCA requirements starting on September 14, 2019. Square is ready to support SCA from this date, and you may notice changes beginning then. Given that the FCA will not pursue enforcement action against companies when there is evidence they are making efforts to comply with SCA, we advise all Square developers and partners to take appropriate steps in order to be ready for any level of enforcement.

How will Square help me prepare for SCA?

We made updates to the Square Payment Form and the Connect V2 APIs to enable your application to become SCA-compliant and to minimize the impact of declined payments. These updates will let you provide additional information about your customer to Square, like full name and billing address, to help Square assess the riskiness of a transaction. Our APIs will automatically apply for all possible exemptions for low value and low risk transactions to reduce friction for your customers while keeping your transactions compliant with SCA. If no exemption applies, we will dynamically trigger a challenge to authenticate the customer with at least two of the following three elements:

Using two of these elements together, instead of the traditional approach of using only passwords, will help reduce online fraud. We will also incorporate other low friction authentication mechanisms like fingerprint and facial recognition to help increase your conversion rates.

Here is a step-by-step overview on the changes you need to make your application SCA compliant:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Developers will need to start making updates to their integrations by September 14, 2019, in order to ensure smooth payment acceptance once SCA goes into effect. You can make these updates today in both your sandbox and production environment and your application will be SCA compliant when the SCA changes begin rolling out industry wide on September 14, 2019. You can read more about these changes in our documentation.

If you have questions or suggestions, you can contact developer support, or join our developer community.