Take Payments

Strong Customer Authentication Overview

Use Strong Customer Authentication in Square online and in-app payments APIs to verify the buyer and reduce the chance of fraudulent transactions.

Note

We advise all Square developers and partners operating in the EEA, including the UK, to take appropriate steps in order to be ready for SCA enforcement starting January 1, 2021 to avoid an increase in declined payments for European cardholders.

What is SCA? Permalink Get a link to this section

Strong Customer Authentication (SCA) is a new European requirement to make online and in-app payments more secure in the European Economic Area (EEA).

Currently, when paying online, customers must enter their card number, expiry, CVV, and postal code to make a payment. When SCA enforcement begins, customers will be required to complete two of the three factors of authentication when initiating a payment: something you know, something you own, something you are. For online card payments, the SCA requirements are met by implementing 3D-Secure. For in-store payments, SCA requirements are met through use of chip & PIN or mobile wallets. Payments without this additional authentication will be declined by the cardholder’s bank. Payments initiated by sellers, such as recurring transactions or mail-order/telephone order (MOTO), do not require SCA.

Note

As of May 2019, Square UK sellers are no longer required to include a buyer postal code when using Virtual Terminal.

sca intro

Do I need to support SCA? Permalink Get a link to this section

We advise all Square developers and partners operating in the EEA, including the UK, to take appropriate steps in order to be ready for SCA enforcement starting January 1, 2021 to avoid an increase in declined payments for European cardholders.

In the UK, banks are expected to start asking their cardholders to complete SCA starting June 1, 2021 with full enforcement of the SCA requirements by September 14, 2021. Across the rest of the EEA, banks will start ramping up the SCA enforcement January 1, 2021 with a staggered ramp-up through 2021.

Square provides SCA features for online and in-app payments within Europe, where the business taking the payment and the cardholder's bank are both in the European Economic Area (EEA).

Note

SCA is not required for in-person payment solutions, such as the Square Point of Sale API or Reader SDK applications.

How is Square helping me prepare for SCA? Permalink Get a link to this section

Sellers using Square’s products such as Square Online and Invoices do not need to make any changes as the products have been updated to meet SCA requirements. For example, Square will invoke 3D-Secure for online card payments or flag transactions as exempt (e.g. merchant-initiated). No additional updates are required for in-person payment solutions such as Square Point of Sale API or ReaderSDK.

Developers and partners that use Square’s developer products such as Square Payment Form and the Connect V2 APIs must ensure their applications are SCA-compliant to minimize the impact of declined payments.

Using two of these elements together, instead of the traditional approach of using only passwords, helps reduce online fraud. Square will also incorporate other low-friction authentication mechanisms like fingerprint and facial recognition to help increase your conversion rates.

How it works Permalink Get a link to this section

Learn how Strong Customer Authentication works by choosing Next and walking through the steps in the following example:

Walkthrough Image

Next steps Permalink Get a link to this section

Read the following topics to learn how to modify a card entry method in your web application to verify a buyer's identity using additional secure authentication: