27/03/2019

Are you ready for Strong Customer Authentication?

New rules coming into place aim to make the online payments system safer for both merchants and consumers. Strong Customer Authentication is designed to verify that an online customer is who they say they are by adding an extra layer of protection at the time of the transaction, when a customer pays online.

Updated timeframes from Financial Conduct Authority

The original deadline for implementing Strong Customer Authentication (SCA) was 14 September 2019. However, following the recent announcement from the European Banking Authority (EBA), which set out that more time was needed to implement SCA, the Financial Conduct Authority (FCA) has agreed an extended phased roll-out plan to move the UK to full compliance, with an updated deadline of 14 September 2021. We will continue to keep this page up to date with any further information. You can access more details on our Strong Customer Authentication FAQs.

What are the changes?

In the past, ecommerce customers only had to give their card number and the CVCCard Verification Value verification code to pay online. From 14 September 2019 onwards, more information will be needed for the transaction to succeed. The move is intended to prevent fraudulent payment transactions, stopping millions of pounds worth of fraud every year.

Two different types of checks – known as two-factor authentication – will be introduced for some online payments. In the past, additional authentication might have been a password or a question like What is your mother's maiden name?, but now, more sophisticated methods will be allowed, from fingerprints to wearable devices or tokens.

The changes apply to online payments within the European Economic Area (EEAEuropean Economic Area), when both the cardholder's bank and the business's payment provider are in the EEA. They are the result of the banking and payments industries working together with regulators to create a solution to the EUEuropean Union Payments Services Directive (PSD2Payment Services Directive). These changes will be made whatever the UKUnited Kingdom's relationship with Europe in September, as the new rules are being passed into UK law.

You need to make sure your business understands what these changes mean for day-to-day operations and how to remain compliant. This guide explains what the changes are and how they might affect you.

When will Strong Customer Authentication be used?

Strong Customer Authentication (SCAStrong Customer Authentication) applies when a customer:

  • Logs on to their online payment account
  • makes an electronic payment online
  • carries out another potentially high-risk transaction online, like changing their telephone number

To comply with the regulations, a new standard for verification, 3DThird Dimension Secure 2.0, will be required. Mastercard wants this in place for merchants by April 2019 and Visa by September 2019. Strong Customer Authentication comes into force on 14th September 2019.

A much higher number of transactions requiring authentication are likely and you may need to upgrade your website to support this new functionality. The new 3D Secure is designed to operate more smoothly and seamlessly with both desktop and mobiles, improving the payment experience for customers.

Transactions that do not need SCA

Some payments will be exempt from SCA. These include transactions that are:

  • Low value (below €30)
    An electronic transaction that is below the value of €30, doesn’t number more than 5 transactions, or exceed a €100 cumulative spend value.
  • Contactless (below €50)
    A contactless card transaction that is below the value of €50, doesn’t number more than 5 transactions, or exceed a €150 cumulative spend value.
  • Below the fraud rate threshold
  • From a trusted beneficiary – whitelisting
    When the cardholder has listed a particular merchant as a trusted beneficiary with their bank, transactions will be exempt from 3D Secure. This process is also known as whitelisting. This means customers who shop with you regularly and add you to their whitelist will not usually need to authenticate payments with you again.
    Adding or amending details about a trusted beneficiary will require additional authentication. It's also worth knowing that issuers can still reject the whitelisting request if the customer is thought to be high fraud risk.
  • Mail orders and telephone orders
  • Subscriptions
    Recurring transactions like subscriptions with a fixed amount will be exempt from the second transaction onwards –once the initial transaction has been authorised.

Regulatory Technical Standards implementation timeline

Regulatory Technical Standards implementation timeline

What will PSD2-approved SCA transactions look like after September 2019?

What will PSD2-approved SCA transactions look like after September 2019?

What do you need to do?

You need to consider how these changes are likely to affect your online customer journeys and any potential impacts on your business. You may need to evaluate how you will integrate 3D Secure 2.0 into your payments process – for example, accepting a fingerprint for transactions made on a mobile phone – and then implement any changes.

By 14th September 2019, you must ensure that the following comply with RTS for strong customer authentication:

  • You comply with RTSRegulatory Technical Standards for strong customer authentication transactions thresholds.
  • Your website or app is updated by your Payment Service Providers (PSPPayment Service Providers) to support the new regulations, e.g. Visa Secure, or Mastercard® Identity Check.

After the 14th September 2019, any non-compliant transactions may be declined by the issuing bank. If you are not compliant with the SCA regulation following this deadline, you (the merchant) may be liable for chargeback.

What is Lloyds Bank Cardnet doing about SCA?

We have been actively involved in discussions about the regulations to help make sure they are effective and workable.

We are updating our systems to comply with the new rules, while making sure that the process is as seamless as possible for merchants and their customers.

Lloyds Bank Cardnet has contacted all PSP to advise them of the changes. We also advise you to contact your PSP directly to discuss any technical changes that may be required.

Further insight

For the latest information see our regularly updated SCA FAQs (PDF).

See what changes are also being made to Confirmation of Payee (PDF).

Get tips on avoiding fraud and improving payment security.

Related articles

21/05/2018

Open Banking: the dawn of a new era

Read more

29/03/2018

Changes to Visa chargebacks: what you need to know

Read more

21/08/2017

Helping you navigate the changing payments landscape

Read more

05/06/2015

A Regulatory Revolution

Read more

All Regulatory Updates stories

Receive our Thought Leadership and Market Updates

Get our top insights to help your business by signing up to our Thought Leadership and Market Updates. From the latest retail trends to payment regulation, our experts will keep you up to speed. Please enter your email below if you would like to receive our Thought Leadership and Market Updates.

Your information will be held by Lloyds Bank plc trading as Cardnet, part of the Lloyds Banking Group. More information on the Group can be found at lloydsbankinggroup.com.

Please scroll down in order to confirm acceptance of our Terms and Conditions

Who looks after your personal information

Your personal information will be held by Cardnet which trades as Cardnet, part of the Lloyds Banking Group. More information on the Group can be found at www.lloydsbankinggroup.com

How we use your personal information

We will use your personal information:
to provide products and services, manage your relationship with us and comply with any laws or regulations we are subject to (for example the laws that prevent financial crime or the regulatory requirements governing the products we offer).
for other purposes including improving our services, exercising our rights in relation to agreements and contracts and identifying products and services that may be of interest.
To support us with the above we analyse information we know about you and how you use our products and services, including some automated decision making. You can find out more about how we do this, and in what circumstances you can ask us to stop, in our full privacy notice.

Who we share your personal information with

Your personal information will be shared within Lloyds Banking Group and other companies that provide services to you or us, so that we and any other companies in our Group can look after your relationship with us. By sharing this information it enables us to better understand our customers’ needs, run accounts and policies, and provide products and services efficiently. This processing may include activities which take place outside of the European Economic Area. If this is the case we will ensure appropriate safeguards are in place to protect your personal information. You can find out more about how we share your personal information with credit reference agencies below and can access more information about how else we share your information in our full privacy notice.

Where we collect your personal information from

We will collect personal information about you from a number of sources including: information given to us on application forms, when you talk to us in branch, over the phone or through the device you use and when new services are requested. from analysis of how you operate our products and services, including the frequency, nature, location, origin and recipients of any payments. from or through other organisations (for example card associations, credit reference agencies, insurance companies, retailers, comparison websites, social media and fraud prevention agencies). in certain circumstances we may also use information about health or criminal convictions but we will only do this where allowed by law or if you give us your consent.

You can find out more about where we collect personal information about you from in our full privacy notice.

Do you have to give us your personal information

We may be required by law, or as a consequence of any contractual relationship we have, to collect certain personal information. Failure to provide this information may prevent or delay us fulfilling these obligations or performing services.

What rights you have over your personal information

The law gives you a number of rights in relation to your personal information including:
the right to access the personal information we have about you. This includes information from application forms, statements, correspondence and call recordings.
the right to get us to correct personal information that is wrong or incomplete.
in certain circumstances, the right to ask us to stop using or delete your personal information.
from 25 May 2018 you will have the right to receive any personal information we have collected from you in an easily re-usable format when it’s processed on certain grounds, such as consent or for contractual reasons. You can also ask us to pass this information on to another organisation.
You can find out more about these rights and how you can exercise them in our full privacy notice.

Other individuals you have financial links with

We may also collect personal information about other individuals who you have a financial link with. This may include people who you have joint accounts or policies with such as your partner/spouse, dependents, beneficiaries or people you have commercial links to, for example other directors or officers of your company. We will collect this information to assess any applications, provide the services requested and to carry out credit reference and fraud prevention checks. You can find out more about how we process personal information about individuals with whom you have a financial link in our full privacy notice.

How we use credit reference agencies

In order to process your application we may supply your personal information to credit reference agencies (CRAs) including how you use our products and services and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We may also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time, information on funds going into the account, the balance on the account and, if you borrow, details of your repayments or whether you repay in full and on time. CRAs will share your information with other organisations, for example other organisations you ask to provide you with products and services. Your data will also be linked to the data of any joint applicants or other financial associates as explained above. You can find out more about the identities of the CRAs, and the ways in which they use and share personal information, in our full privacy notice.

How we use fraud prevention agencies

The personal information we have collected from you and anyone you have a financial link with may be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in our full privacy notice.

Our full privacy notice

It is important that you understand how the personal information you give us will be used. Therefore, we strongly advise that you read our full privacy notice, which you can find at https://lloydsbankcardnet.com/privacy/ or you can ask us for a copy.

How you can contact us

If you have any questions or require more information about how we use your personal information please contact us using https://lloydsbankcardnet.com/. You can also call us on 01268 567100. If you feel we have not answered your question Lloyds Banking Group has a Group Data Privacy Officer, who you can contact on 01268 567100 and tell us you want to speak to our Data Privacy Officer.

Version Control

This notice was last updated in April 2018.

Thank you

Thank you for subscribing to our news alert.