Skip to main navigation Skip to main content

  1. Home
  2. Insight Series
  3. Regulatory Updates
  4. Are you ready for Strong Customer Authentication?


Are you ready for Strong Customer Authentication?

New rules coming into place aim to make the online payments system safer for both merchants and consumers. Strong Customer Authentication is designed to verify that an online customer is who they say they are by adding an extra layer of protection at the time of the transaction, when a customer pays online.

What are the changes?

In the past, ecommerce customers only had to give their card number and the CVC verification code to pay online. From 14 September 2019 onwards, more information will be needed for the transaction to succeed. The move is intended to prevent fraudulent payment transactions, stopping millions of pounds worth of fraud every year.

Two different types of checks – known as two-factor authentication – will be introduced for some online payments. In the past, additional authentication might have been a password or a question like What is your mother's maiden name?, but now, more sophisticated methods will be allowed, from fingerprints to wearable devices or tokens.

The changes apply to online payments within the European Economic Area (EEA), when both the cardholder's bank and the business's payment provider are in the EEA. They are the result of the banking and payments industries working together with regulators to create a solution to the EU Payments Services Directive (PSD2). These changes will be made whatever the UK's relationship with Europe in September, as the new rules are being passed into UK law.

You need to make sure your business understands what these changes mean for day-to-day operations and how to remain compliant. This guide explains what the changes are and how they might affect you.

When will Strong Customer Authentication be used?

Strong Customer Authentication (SCA) applies when a customer:

  • Logs on to their online payment account
  • makes an electronic payment online
  • carries out another potentially high-risk transaction online, like changing their telephone number

To comply with the regulations, a new standard for verification, 3D Secure 2.0, will be required. Mastercard wants this in place for merchants by April 2019 and Visa by September 2019. Strong Customer Authentication comes into force on 14th September 2019.

A much higher number of transactions requiring authentication are likely and you may need to upgrade your website to support this new functionality. The new 3D Secure is designed to operate more smoothly and seamlessly with both desktop and mobiles, improving the payment experience for customers.

Transactions that do not need SCA

Some payments will be exempt from SCA. These include transactions that are:

  • Low value (below €30)
    An electronic transaction that is below the value of €30, doesn’t number more than 5 transactions, or exceed a €100 cumulative spend value.
  • Contactless (below €50)
    A contactless card transaction that is below the value of €50, doesn’t number more than 5 transactions, or exceed a €150 cumulative spend value.
  • Below the fraud rate threshold
  • From a trusted beneficiary – whitelisting
    When the cardholder has listed a particular merchant as a trusted beneficiary with their bank, transactions will be exempt from 3D Secure. This process is also known as whitelisting. This means customers who shop with you regularly and add you to their whitelist will not usually need to authenticate payments with you again.
    Adding or amending details about a trusted beneficiary will require additional authentication. It's also worth knowing that issuers can still reject the whitelisting request if the customer is thought to be high fraud risk.
  • Mail orders and telephone orders
  • Subscriptions
    Recurring transactions like subscriptions with a fixed amount will be exempt from the second transaction onwards –once the initial transaction has been authorised.
Regulatory Technical Standards implementation timeline

Regulatory Technical Standards implementation timeline

What will PSD2-approved SCA transactions look like after September 2019?

What will PSD2-approved SCA transations look like after September 2019?

What do you need to do?

You need to consider how these changes are likely to affect your online customer journeys and any potential impacts on your business. You may need to evaluate how you will integrate 3D Secure 2.0 into your payments process – for example, accepting a fingerprint for transactions made on a mobile phone – and then implement any changes.

By 14th September 2019, you must ensure that the following comply with RTS for strong customer authentication:

  • You comply with RTS for strong customer authentication transactions thresholds.
  • Your website or app is updated by your Payment Service Providers (PSP) to support the new regulations, e.g. Visa Secure, or Mastercard® Identity Check.

After the 14th September 2019, any non-compliant transactions may be declined by the issuing bank. If you are not compliant with the SCA regulation following this deadline, you (the merchant) may be liable for chargeback.

What is Lloyds Bank Cardnet doing about SCA?

We have been actively involved in discussions about the regulations to help make sure they are effective and workable.

We are updating our systems to comply with the new rules, while making sure that the process is as seamless as possible for merchants and their customers.

Lloyds Bank Cardnet has contacted all PSP to advise them of the changes. We also advise you to contact your PSP directly to discuss any technical changes that may be required.

Further insight

See what changes are also being made to Confirmation of Payee.

Get tips on avoiding fraud and improving payment security.

Receive our Thought Leadership and Market Updates

Get our top insights to help your business by signing up to our Thought Leadership and Market Updates. From the latest retail trends to payment regulation, our experts will keep you up to speed. Please enter your email below if you would like to receive our Thought Leadership and Market Updates.

Your information will be held by Lloyds Bank plc trading as Cardnet, part of the Lloyds Banking Group. More information on the Group can be found at

Please scroll down in order to confirm acceptance of our Terms and Conditions