noticeCOVID-19 UPDATE ASO World entire team is working remotely. we expect no disruptions in our ASO services.
logo

Useful Blogs for App Promotion

500,000 monthly readers are maximizing their advertising conversions with conversion intelligence.

The average online user is exposed to anywhere from 6,000 to 10,000 ads every day.

Home Blog App Store News How to Prepare for Strong Customer Authentication transactions in Europe for In-App Purchases?

How to Prepare for Strong Customer Authentication transactions in Europe for In-App Purchases?

Dec 31 2020

strong customer authentication(SCA) in the European Economic Area(EEA)
Recently, the official news from the Apple App Store mentioned information about customer authentication, and that starting December 31, 2020. EU legislation introduced strict customer authentication (SCA) requirements for users in the European Economic Area (EEA), which could affect the way they complete online purchases. And for games and apps with in-app purchases, have their developers prepared for this in advance? The App Store and Apple Pay will then support strong customer authentication, and you'll need to verify your application’s implementation of StoreKit and Apple Pay to ensure purchases are processed correctly.

ASO World will go over the key points with you, and if your app or game includes in-app purchases, and your target market includes the EEA, you'll need to be further confirm that you're prepared accordingly.

Understanding the basic concepts of Strong Customer Authentication


What is Strong Customer Authentication(SCA)?


Strong Customer Authentication is a set of rules for identity verification introduced by your bank or payment service provider to maximize the security of your funds and limit fraud. 2019 sees the introduction of a new rule in the EEA called Strong Customer Authentication (SCA), designed to further enhance payment security and limit fraud.

The settlement process for online purchases in the EEA is said to involve SCA and is expected to come into effect on December 31, 2020. For Apple App Store app developers, you need to go and pay attention to whether your in-app settlement is affected.

What is SCA payment mode?


Strong Customer Authentication (SCA) is a new regulatory requirement out of Europe that requires payers to confirm autonomous acceptance of payments and the need to meet SCA requirements, and you need to have another identity verification built into the checkout process. Specifics include the need for dual authentication for many online bank card payments in Europe. Without such authentication, many payments may be declined by the customer's bank. This rule is intended to reduce fraud and improve the security of online payments. 

What has changed with SCA payments?


Traditional card payments typically involve two steps: authorization and capture. The customer's bank or card issuer decides to approve a payment, which is considered an authorization, and performs a charge-back on the card, which is considered a capture.

With SCA, an additional mandatory step is required before authorization and capture: verification. This step helps protect the customer against fraud. To validate a payment, customers need to respond to their bank's request for information and provide additional information accordingly. This could be information they know, such as a password; it could be something they use, such as a phone; alternatively, it could be a part of their body, such as a fingerprint.

One of the most common ways to verify payments is through 3DS authentication. This can be identified by its brand name, such as "Visa Secure" or "MasterCard Identity Check". A new version of this method is now available, called 3DS 2.0 Authentication, which is expected to become the standard payment verification method.

Regardless of the method you use, the customer must participate in the session and give the verification in person, that is, they must use your website or application. This step is easier to add for companies that collect payments directly from customers; it's more complicated for companies that collect payments after the customer leaves the checkout process (Sometimes referred to as "out-of-session").

What changes have been made to the Apple App Store payment process as an outcome of the SCA rules?


The Payment Services Directive (PSD2) is an EU regulation that requires strict customer identity verification (SCA) for certain online purchases to prevent fraud. In app stores, apps that initiate certain transactions via credit or debit cards must be authenticated by a bank or payment service provider before they can be completed.

For developers with in-app purchases whose target market includes the EEA, the following points need to be addressed:

  • For auto-renewals, SCA is required for the first transaction only.

  • Purchases under €30 may not require an SCA.

  • For purchases made with Apple Pay, no other authentication will be required for devices that already meet the SCA requirements.

  • Purchases made using mobile billing, other payment services, or Apple ID balances (via gift cards or top-up funds) will not require additional authentication.

So app developers involved in-app payments need to check if your users are having trouble with the payment process, and can consider payment channel options, etc. to improve the problem accordingly.

How to deal with the problems caused by SCA in EEA?


1) Use StoreKit to process transactions


For in-app purchases that require SCA, the system will prompt the user to verify their credit or debit card. They will jump out of the purchase process, go to their bank or payment service provider's website or app for authentication, and then be redirected to the app store. They will see a message here informing them that the purchase has been completed. Handling this interrupted transaction is similar to a "purchase" endorsement that requires approval from a home approver, or an updated App Store terms and conditions that the user needs to agree to before completing the purchase.

Make sure your app can properly handle interrupted transactions by initializing the transaction observer to respond to new transactions and synchronize pending transactions with Apple. The observer helps your app handle SCA transactions, and when a user exits the app, the SCA transaction can update your payment queue with a "failed" or "delayed" status. When a user is redirected to the app store for authentication, a new transaction with a status of "Purchased" is immediately delivered to the app developer and may include a new value for that transaction Identifier property. You can test broken purchase scenarios in a sandbox for a specific sandbox Apple ID.

2) Use Apple Pay to process transactions


Apple Pay includes built-in authentication and does not require additional authentication from your bank. However, to avoid payment issues when using Apple Pay, on your app, make sure you use the correct country code in your payment request and that the final amount is shown on the payment form.

The value on the country code for PK Payment Request (for the app) and Apple Pay Payment Request (for the website) should be set to the correct two-letter country code in the country where you are processing the funds. Setting the value here correctly ensures that the PSD2 compliant code is used when both the merchant country code and the user's card issuer are located within the EEA.

Show the final amount on the payment form instead of the pending amount. This will facilitate a dynamic link where the transaction amount and merchant identifier are included in the password to prove the origin and authenticity of the transaction.

Of course, you can also use other third-party collection channels, but before doing so you need to confirm that these collection service providers have opened specific payment API based on the new SCA rules that can help you cope with this change and take advantage of all possible SCA exemption opportunities.

In Summary


Given that implementation is approaching, we recommend that you prepare your payment processes so that you are ready for the SCA as soon as possible. As European banks increase their implementation of these requirements, this will help prevent an increase in drops and prevent the loss of customers during multiple parts of the certification process. The new Payment API and other solutions that support SCA is designed to take this uncertainty into account.

SHARE THIS POST

Comments

  • Lee Jennings
    What is Barclaycard doing about SCA? Reply
    • Bob Benson

      @Lee Jennings From the announcement of PSD2 SCA in 2017, we have been actively involved with industry discussions and have been influencing the direction of travel as the debate has developed. Reply

    • Bob Benson

      @Lee Jennings As the practical implications become clearer, we have taken the necessary steps to first ensure the 3DS 2.0 mandate is met, as well as exploring options to achieve the right balance between managing fraud risks and minimising disruption in the payment journey. Reply

    • Bob Benson

      @Lee Jennings Barclaycard can offer insight on the support merchants may need. We can partner with merchants on the roll out of new industry protocols, as well as continuing to help with demystifying PSD2 SCA. Reply

  • Diane Garza
    What is changing? Reply
    • Sophie Daniel

      @Diane Garza The payment journey may look a little different. Authentication used to be required on an exception basis, i.e. where the risk of the transaction was regarded as ‘high’, additional authentication might have been triggered via 3D Secure as the current protocol. Reply

    • Sophie Daniel

      @Diane Garza This is commonly known as a "step-up". Since September 2019, additional authentication has become the default. All qualifying transactions are being “stepped up” unless an exemption applies. Reply

  • Stacey Craig
    What is the SCA requirement? Reply
    • Kristina Joseph

      @Stacey Craig PSD2 requires the use of two independent sources of validation by selecting a combination of two out of the three categories (commonly known as two-factor authentication). Reply

  • Erin Matthews
    Why is SCA needed? Reply
    • Barry Beck

      @Erin Matthews From the announcement of PSD2 SCA in 2017, we have been actively involved with industry discussions and have been influencing the direction of travel as the debate has developed. Reply

    • Barry Beck

      @Erin Matthews As the practical implications become clearer, we have taken the necessary steps to first ensure the 3DS 2.0 mandate is met, as well as exploring options to achieve the right balance between managing fraud risks and minimising disruption in the payment journey. Reply

    • Barry Beck

      @Erin Matthews Barclaycard can offer insight on the support merchants may need. We can partner with merchants on the roll out of new industry protocols, as well as continuing to help with demystifying PSD2 SCA. Reply

  • Charles Sparks
    What does this mean for me? Reply
    • Rosa Robbins

      @Charles Sparks You will need to activate two-factor authentication (2FA) over the next few weeks, as it will become compulsory when logging in to their Ebury Online account AND when instructing new payments. 2FA is already available to set up when logging in to Ebury Online, and will soon become a feature when making payments. Reply

  • Iris Frank
    Why does it need updating? Reply
    • Shawna Cox

      @Iris Frank The original Payment Services Directive (PSD) was created in 2007 to focus on improving payments—particularly credit transfers, direct debits and cards. Reply

    • Shawna Cox

      @Iris Frank As the digitization of the European economy has progressed massively over the last few years, the PSD has needed to update to include new players—such as fintechs like Ebury. Reply

    • Shawna Cox

      @Shawna Cox PSD2 is coming into force to make payments safer, increase client protection, foster innovation and competition, and ensure a level playing field for banks and other payment service providers alike. Reply

  • Terri Rice
    Is Apple pay SCA compliant? Reply
    • Van Burke

      @Terri Rice Purchases made with Apple Pay, which already meets SCA requirements, will not require additional authentication. Purchases made with mobile phone billing, other payment services, or an Apple ID balance (from gift cards or adding funds) will not require additional authentication. Reply

  • Pauline Holt
    What is SCA compliance? Reply
    • Roger Watkins

      @Pauline Holt SCA COMPLIANCE. PREVAILING WAGE RESOURCE BOOK. PRINCIPLES. INTRODUCTION. Service Contract Act (SCA) wage determinations set forth the prevailing wages and benefits that are to be paid to service employees working on covered contracts exceeding $2,500. Reply

  • Brian Briggs
    Why is SCA important? Reply
    • Krista Hogan

      @Brian Briggs Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. Reply

  • Pearl Colon
    What SCA means? Reply
    • Santiago Norris

      @Pearl Colon The Society for Creative Anachronism (SCA) is an international non-profit volunteer educational organization. ... If it was done in the Middle Ages or Renaissance, odds are you'll find someone in the SCA interested in recreating it. Reply

  • Lillian Moran
    What is PSD2 and SCA? Reply
    • Guillermo Craig

      @Lillian Moran The new EU Payments Services Directive (PSD2) took effect in January 2018, bringing in new laws aimed at enhancing consumer rights and reducing online fraud. A key element of PSD2 is the introduction of additional security authentications for online transactions over €50, known as Strong Customer Authentication (SCA). Reply

  • Rickey Holloway
    What does SCA required mean? Reply
    • Timmy Norris

      @Rickey Holloway Strong Customer Authentication (SCA) is a requirement of PSD2*, which asks businesses to use at least two authentication elements to verify electronic payments. The point of this is to reduce fraud and make online payments more secure for you. ... This means all bank transfers and most card payments will require SCA. Reply

  • Pam Day
    What is SCA payment? Reply
    • Diana Stanley

      @Pam Day SCA stands for Strong Customer Authentication, and it is one of the regulations under the Revised Payment Service Directive (PSD2). It states that a customer must verify their identity before payment information can be exchanged between a financial institution and a third-party provider (TPP). Reply

  • Arturo Holt
    Which type of authentication is most secure? Reply
    • Jackie Kelley

      @Arturo Holt Nowadays, the usage of biometric devices such as hand scanners and retinal scanners is becoming more common in the business environment. It is the most secure method of authentication. Reply

  • Jerome Webster
    What does user authentication mean? Reply
    • Beatrice Simmons

      @Jerome Webster User authentication is a process that allows a device to verify the identify of someone who connects to a network resource. There are many technologies currently available to a network administrator to authenticate users. The Firebox also has its own authentication server. Reply

  • Dora Simmons
    Is Apple pay SCA compliant? Reply
    • Gayle Sherman

      @Dora Simmons Purchases made with Apple Pay, which already meets SCA requirements, will not require additional authentication. Purchases made with mobile phone billing, other payment services, or an Apple ID balance (from gift cards or adding funds) will not require additional authentication. Reply

  • Dustin Hayes
    What is Strong Customer Authentication? Reply
    • Miranda Ford

      @Dustin Hayes Strong Customer Authentication (SCA) works to ensure that it is genuinely you whenever you log in or authorise payments while banking online. It is designed to help keep your financial information safe and make online banking even more secure. Last updated: May 26, 2020.May 26, 2020 Reply

  • Amelia Cain
    What payment value are transactions considered low value and are therefore exempt from SCA? Reply
    • Earl Banks

      @Amelia Cain Exemptions. Card transactions below €50 are considered low value and are generally exempt from authentication. However, if the customer initiates more than five consecutive low value payments or if the total payments value exceed €100, SCA will be required. Reply

  • Shawna Hall
    What does SCA stand for in payments? Reply
    • Howard Mills

      @Shawna Hall Strong Customer Authentication Part of the Revised Payment Services Directive (PSD2) published in 2018, Strong Customer Authentication (SCA) is intended to make payments more secure, requiring online sellers to implement more stringent methods of ensuring the payments they are taking are genuine. Reply

  • Jack Dawson
    What is meant by the SCA regulation? Reply
    • Kate Blair

      @Jack Dawson Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. Reply

  • Priscilla Rodriguez
    What is secure customer authentication? Reply
    • Myrtle Glover

      @Priscilla Rodriguez The way your bank or payment services provider verifies your identity or validates a specific payment instruction is changing. ... The new rules, introduced in 2019, are intended to further enhance the security of payments and limit fraud. They are known as Strong Customer Authentication (SCA). Reply

  • Raymond Wong
    When did strong customer authentication come into effect? Reply
    • Donnie Page

      @Raymond Wong 14 September 2019 Banks will need to start declining payments that require SCA and don't meet these criteria. Although the regulation was introduced on 14 September 2019, we expect these requirements to be enforced by regulators over the course of 2020 and 2021. Reply

  • Cecelia Perkins
    What is strong customer authentication PSD2? Reply
    • James Farmer

      @Cecelia Perkins Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Reply

View more comments