From today, 14 March 2022, online retailers operating in the EU and UK must offer Strong Customer Authentication (SCA) at checkout.

It is now mandatory for all online shopping purchases to be protected by additional security measures. This will ensure a shopper is who they say they are and, hopefully, reduce fraud.

Any retailer who does not operate SCA technologies at checkout may have payments declined.

So how does it affect you and what should you expect? We explain all here.

What is Strong Customer Authentication?

Thanks to an EU directive that's also employed by the UK post-Brexit, online retailers who want to sell products in the European Economic Area, Great Britain and Northern Ireland must employ SCA. It is effectively a two-factor authentication system employed at checkout to add an extra layer of protection for purchases.

It requires banks to make additional checks on shopper identity and needs the retailers to support new authentication systems.

Rather than just a password, which has been the stock method of authentication for online shopping for many years, banks will require two forms of identification at checkout. This could be the original password, a device only the shopper has access to (such as a mobile phone), and/or a biometric identifier (fingerprint, for example).

Many online retailers have offered SCA over the last year or so - you may have ecountered it on website or in a mobile app. However, it is now a mandatory requirement.

When did Strong Customer Authentication come into effect?

Originally, SCA was to become mandatory by 14 September 2021 but the FCA granted the industry an extension on the deadline to 14 March 2022.

Retailers who do not support Strong Customer Authentication may find banks declining payments, which means your purchase via that retailer can also be declined.

Does SCA apply to contactless payments?

SCA does apply to contactless payments too, which is why customers may sometimes be requested to enter a PIN after tapping their contactless card. Contactless payments made by a phone will generally also use a PIN or biometric system to unlock the handset first, thereby complying with the new guidelines.