What you need to know about Strong Customer Authentication (SCA)
Heads up, we’ve moved! If you’d like to continue keeping up with the latest technical content from Square please visit us at our new home https://developer.squareup.com/blog
What is SCA?
Strong Customer Authentication (SCA) is a new European regulation that will go into effect on September 14, 2019 to make customer-initiated online and in-app payments more secure in the European Economic Area (EEA). Currently, when paying online, customers need to enter their card number, expiry, CVV, and postal code to make a payment. After SCA goes into effect, any website or mobile app accepting customer-initiated payments will have to pass additional information about the customer to their payments provider (in your case, Square). Payments without this additional authentication will be declined by the cardholder’s bank.
Do I need to support SCA?
SCA will be required for all customer-initiated online and in-app payments within Europe, where both the business taking the payment and the cardholder’s bank are in the European Economic Area (EEA). In other words, if you operate an online/in-app business based in the EEA and have customers who are also in the EEA, your transactions will need to be SCA compliant by September 14, 2019. Also note that SCA will apply regardless of Brexit in the UK.
How will Square help me prepare for SCA?
We are working on updates to our platform to enable your application to become SCA-compliant and to minimize the impact of declined payments. These updates will let you provide additional information about your customer to Square, like full name and billing address, to help Square assess the riskiness of a transaction. Our APIs will automatically apply for all possible exemptions for low value and low risk transactions to reduce friction for your customers while keeping your transactions compliant with SCA. If no exemption applies, we will dynamically trigger a challenge to authenticate the customer with at least two of the following three elements:
Using two of these elements together, instead of the traditional approach of using only passwords, will help reduce online fraud. We will also incorporate other low friction authentication mechanisms like fingerprint and facial recognition to help increase your conversion rates.
We are currently making these changes to the Square Payment Form, In-App Payments SDK, and our Connect v2 APIs. Developers using these products will need to make updates to their integrations by September 14, 2019, in order to ensure smooth payment acceptance once SCA goes into effect. We will be updating this post with detailed instructions for how to update your integration in the coming weeks. In the meantime, if you have questions or suggestions, you can contact developer support, or join our Slack channel.