Strong Customer Authentication: what it is and how it works

Strong Customer Authentication (SCA) aims to make online payments more secure for users and reduce fraud. It is part of the Payment Service Directive (PSD2) as enforced by the Financial Conduct Authority.

Services that take payments from the EU, Norway, Iceland and Liechtenstein (otherwise known as the European Economic Area, EEA), must meet SCA regulation by 31 December 2020. Services that only take payments from within the UK need to meet SCA regulation by 14 September 2021.

Services meet SCA regulation by implementing 3D Secure 2 (3DS2) or 3D Secure (3DS) that adds an extra layer of identity confirmation before the user pays so that transactions meet the SCA rules.

3DS2 replaces 3DS. 3DS transactions offer a similar level of protection for users and are compliant with SCA requirements, but 3DS2 reduces friction for users and leads to a smoother paying user experience. 3DS will also be phased out in 2022, though the exact date for this has not been confirmed.

What 3D Secure 2 means for users

3DS2 requires 2 factor authentication, and will ask users for 2 out of 3 pieces of information to complete their transaction:

  • something the user is, for example their fingerprint
  • something the user has, for example their phone
  • something the user knows, for example a password

Usually this means the user will have to enter a short code sent by SMS by their bank.

Transactions processed through digital wallets (such as Apple Pay or Google Pay) meet the 2 factor authentication requirements.

3DS2 will not apply to:

  • any transactions where either the merchant or payer is outside the EEA
  • merchant initiated payments, for example subscriptions
  • telephone payments

Some payments may be exempted from 3DS2:

  • low value transactions, for example for those under £30
  • low risk transactions when the Payment Service Provider (PSP) has low fraud levels across all its platform
  • corporate payments (unless the corporate card is in the name of an individual)

Which exemptions are applied will depend on your Payment Service Provider (PSP). See How to set up 3D Secure 2 for more details.

What 3D Secure 2 means for services

You may see a reduction in fraud on your service because users need to provide additional authentication before making a payment.

Services are not liable for fraudulent or unrecognised transactions if they are processed by 3DS2. If a user disputes a 3DS2 transaction (for example using a chargeback) on the basis that it is fraudulent or unrecognised, it is the responsibility of the bank to refund the customer if required, because the bank approved 3DS2 transactions.

Services are still liable for transactions that are exempt from 3DS2 and are responsible if a user disputes a transaction on the basis that they did not receive the goods or service they paid for.

How to set up 3D Secure 2

The way you set up 3DS2 will depend on your Payment Service Provider (PSP).

Stripe

GOV.UK Pay is managing the 3DS2 integration with Stripe so you do not need to make any changes to your integration with us. Stripe will automatically apply exemptions.

Worldpay

Worldpay are implementing 3DS2 as part of their 3DS Flex product. You will receive 3DS Flex credentials from Worldpay and you will need to add them into your Pay service. You don’t need to enable 3D Secure on telephone payment (MOTO) services.

If you are a Government Banking customer, please email serviceteam.gbs@hmrc.gov.uk to get help enabling 3DS Flex on your account. We recommend that you do this soon as it provides a smoother experience for paying users.

If you have a direct contract with Worldpay (not via Government Banking), Worldpay can send you your 3DS Flex credentials so get in touch with your contact at Worldpay.

Worldpay will send all transactions via 3DS2 or 3DS. Worldpay does not apply exemptions by default but GOV.UK Pay supports Worldpay’s Exemption Engine. If you’d like to apply for exemptions for your transactions, contact GOV.UK Pay to chat through your needs.

Barclays ePDQ

GOV.UK Pay has built the integration with 3DS2 for ePDQ. You will not need to make any changes to your integration. Exemptions (see above) will not be applied.

Barclays Smartpay

You can enable 3DS which meets the requirements of SCA.

Costs for 3D Secure 2

GOV.UK Pay will not pass on any of the costs of implementing 3D Secure 2. However, payment charges will vary depending on your PSP.

There’s no extra cost if you’re with Stripe.

Check with Worldpay, Barclays Smartpay and Barclays ePDQ for details of their individual costs. If you are a Government Banking customer, contact serviceteam.gbs@hmrc.gov.uk.

Using digital wallets

There is no extra cost for transactions using digital wallets because they meet the requirements for 3DS2 authentication. Check that you have enabled this option in your settings.

Apple Pay and Google Pay are currently only available for services using Worldpay on GOV.UK Pay. GOV.UK Pay plan to introduce this for Stripe.

Actions for owners of services

If you’re the owner of a service in GOV.UK Pay, you should:

  • make sure 3D Secure is activated in your account settings if you’re using Worldpay
  • check with your PSP about any charges for 3D Secure 2
  • activate Apple Pay and Google Pay in your account settings if you’re using Worldpay
  • follow the instructions if you use GOV.UK Pay to take phone payments – these are exempt from 3DS and 3DS2

Contact the GOV.UK Pay team with any questions.