Get Ready for Strong Customer Authentication

An interview with Cognito Forms CEO Jamie Thomas on SCA and how it will affect customers in the EU.

JamieThomas.jpg

With the September 14 deadline fast approaching, conversation about Strong Customer Authentication (SCA) is heating up among anyone who does business online in the European Union. So we sat down with CEO Jamie Thomas to discuss the coming changes and how they'll affect Cognito Forms users.

If you're not already familiar with SCA, it's part of the EU's Payment Services Directive 2, which was enacted last year to overhaul the European banking and payment system.

While PSD2 overall is intended to make the banking and payment system more competitive, the SCA requirement is designed to make online payments more secure and reduce online fraud.

Will Cognito Forms be ready for SCA on September 14?
Yes. We're currently working with our payment partners to update our system integrations for SCA. Our customers will enjoy a seamless transition without having to make any changes to their forms or accounts.

Will the new integrations affect all Cognito Forms customers?
Since the SCA is part of EU legislations, it will only affect transactions in which both the merchant and card-issuing bank are in the European Economic Area.

There may be a few exceptions if purchasing something from the EU while in the US. That's determined by individual banks in the EU. But the vast majority of users outside of the EU will not notice any changes.

What changes will affected users experience?
When Cognito Forms is used to process a transaction that's subject to SCA, customers may have to enter additional information to prove that they are, in fact, who they say they are.

The exact information, and how it's delivered, will be determined by the customer's bank (the bank that issues the customer's credit or debit card). But it must satisfy the SCA requirement of proving:

  • Something you know (such as a password)
  • Something you are (such as a thumbprint)
  • Something you own (such as your mobile phone)

That could be done by entering a code that customers receive on their phone via SMS while making the purchase. They could receive a pop-up on their phone that they need to tap to approve. Or the act of opening an app using something like face ID or thumbprint ID could satisfy the requirement, making Apple Pay and Android Pay very useful.

It really depends on the bank, and we're working with our payment partners to ensure all authentication methods work seamlessly.

Will all online transactions in the EU require additional authentication?
No. There are many exceptions to the SCA requirements.

  1. First, the SCA only affects payments initiated by customers. So, a subscription payment for a consistently recurring amount will only need to be authenticated once.

  2. Small transactions (below 30 euro) will only need strong authentication for every fifth transaction, or when a cumulative amount of transactions exceeds 150 euro. This will be managed by the banks and the payment partners to help ensure customers experience the least possible friction – while maintaining the highest possible security.

  3. If banks have exceptionally low fraud rates or whitelist specific merchants, those transactions may not be subject to SCA.

  4. Finally, payments that are initiated by merchants – such as when someone uses our card-on-file feature to process a remaining balance at the end of a transaction – will not require the extra layer of authentication.

That's a lot of exemptions, but the thing to remember is that the banks and the payment providers will track these for you. You don't have to do it yourself.

Is there anything Cognito Forms users should do to prepare?
Not at all. Cognito Forms users just need to be aware that their payment flow will be a little different for those transactions affected by the SCA rules.

We're handling everything else directly with our payment partners.

What are Cognito Forms payment partners doing?
Both Stripe and Square are developing automations to check for possible exemptions and deliver a simple customer experience. They're ready for the September 14 deadline.

Are other countries considering similar rules?
Yes, other countries are also considering similar practices. We'll follow these developments and ensure our customers are able to continue using their forms when and if these legislative requirements emerge.