Strong Customer Authentication
Frequently Asked Questions
Please read through the important information below and in our FAQ regarding the Strong Customer Authentication regulation being introduced on 14 September 2019.
Does your organisation receive online payments? If so, you need to know about the EU's new payments legislation, 'Strong Customer Authentication', being introduced on 14 September 2019.
Our free webinar, recorded on 25 July 2019, is available to view on demand.
1. What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a new European requirement created to reduce fraud and make online payments more secure. From 14 September 2019, when an individual with a card issued in the European Economic Area (EEA) makes a payment online, extra levels of authentication will be required at the time of the transaction. As fraud methods are constantly changing, the aim of SCA is to reduce fraud, provide added security to online payments, and act as a “frictionless authentication,” improving the donation experience and providing security against the emergence of new online payment threats.
SCA applies to donations and paid event registrations, memberships or sponsorships, and any other online payments.
Failure to adhere to SCA will result in the rejection of donations by financial institutions across the European Economic Area (EEA). Watch Our 3 minute explainer video to get a comprehensive overview of what SCA is, and more importantly, what you should
be doing to prepare for it:
You can find more specific details about the requirements on the European Banking Authority site.
2. What changes will this require?
In the past, supporters could simply enter their card number and a CVC verification code, but with the revised EU Payment Services Directive (PSD2), more information will be required at the time of payment. A new specification, 3D Secure 2.0, has been introduced to make it easier to collect SCA information at the time of the transaction. From 14 September onward, authentication must include two or more of the following:
- Something you know, such as a password or secret fact
- Something you own, such as a mobile phone or token
- Something you are, such as a fingerprint or voice pattern
Whilst the number of required data points is increasing, more customer choice should mean better authentication experiences and less drop-offs!
Ensuring that the data points collected dynamically link the transactions to the amount specified by the donor when initiating the transaction.
3. Are any organisations exempt from the changes?
Those transactions where the card issuer is not based in Europe are exempt. Certain low value and low risk transactions will also be exempt from SCA, as will recurring transactions with a fixed amount (from the second transaction onwards).
Whilst the regulation directly affects EU organisations, some European banks may require SCA for organisations outside of Europe when transacting with their customers. Furthermore, it is expected that most banks around the world will adopt the new standards over time. Note that we do expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.
4. What is Blackbaud doing in response?
Blackbaud is committed to ensuring that its solutions are not only compliant with this new regulation, but also deliver great experiences for supporters.
For example, Blackbaud Checkout provides a fully mobile-responsive, dynamic and secure payment journey that will be SCA-ready and designed with your constituents in mind. We have already added this new checkout experience onto several forms, and will enhance further features across the latest versions of our digital solutions over the coming months.
5. How is my Blackbaud solution affected?
If you use one or more of eTapestry, Online Express, Blackbaud NetCommunity, Blackbaud Internet Solutions, JustGiving, Blackbaud CRM, or everydayhero, please refer to SCA product instructions to review what steps you need to take, if any, so your Blackbaud solution accepts payments when Strong Customer Authentication (SCA), comes into effect on 14th September 2019.
6. Which payment gateway will support Strong Customer Authentication?
Blackbaud will support SCA in Blackbaud Merchant Services (BBMS) via Blackbaud Checkout. BBMS is our end-to-end payment processing solution and the one chosen by nearly all customers. If your organisation uses a third-party gateway, you will need to transition your online forms to BBMS in advance of the 14 September deadline. More details on when and how you can do this in your Blackbaud solution will be provided here soon.
7. Why is Blackbaud focusing effort on BBMS rather than other payment gateways?
Support for the Strong Customer Authentication (SCA) regulations requires considerable development effort. Given the scope of the work to be compliant with SCA, we are focusing our efforts on getting the primary payments platform used by the vast majority of our clients updated quickly and implementing changes in each of our solutions to the support these new requirements. JustGiving and everydayhero are ready for Strong Customer Authentication today, and you do not need to take any further steps.
By focusing that effort on BBMS — which was created specifically for the social good community — we can help you adhere to the requirements while providing your constituents with a seamless payment experience. This experience includes value-added features, such as digital wallets, online fraud protection, payments API, credit card updater, point to point encryption, simple reconciliation, one call for all payment & application support and soon direct debit (BACS) transaction processing. It also includes integration with Blackbaud software that is not available through other payment gateways.
The innovations available from BBMS now — and those featured on our product roadmap — will protect your constituents and ultimately allow your organisation to enhance fundraising.
8. I am not using BBMS in my Blackbaud solutions, how should I best prepare?
Move to Blackbaud Merchant Services (BBMS) and Blackbaud Checkout to ensure your transactions continue to process. If you continue to use a third-party gateway, we expect that card issuers will decline those beginning 14 September 2019. To learn more about BBMS, please visit https://www.blackbaud.co.uk/solutions/payment-services/merchant-services.
9. How do I find out more?
Please look for further information from Blackbaud in your inbox over the coming weeks. We will also post updates at https://www.blackbaud.co.uk/sca.
10. How do I learn more about my specific Blackbaud products?
If you own a Blackbaud product, please see SCA product instructions to find out more on how a specific product may be impacted.
If your organisation currently uses a third-party payment gateway with your Blackbaud solution, then you will need to transition your online forms to Blackbaud Merchant Services (BBMS) to ensure compliance with SCA.
11. I heard the SCA deadline may be delayed.
Though we anticipate a gradual enforcement of Strong Customer Authentication, we still expect the first banks to start declining payments without two-factor authentication on September 14th. The European Banking Authority is the only authority across the EEA, and the EBA has already declared they will not delay SCA implementation and this law is going into effect September 14th. Rather, they will permit local country authorities, such as the FCA in the UK, to determine whether or not they will allow banks additional time to comply with SCA, and it is up to the local authorities how they will enforce the law.
Regardless of the enforcement approach taken by local authorities, some (major) banks are likely to implement SCA on 14th September, or very shortly thereafter. This is because many banks, including banks in the UK, will have already implemented transaction verification processes in line with SCA regulations and, in some cases, will have made these mandatory for payment authorizations to go through. Consequently, it is likely that payment acceptance on transactions that do not support the new verification processes will be impacted across the EU, regardless of local SCA enforcement. Therefore, our continuing recommendation to all organisations is to be ready for that date. Even if only some transactions are initially declined, from some banks, we believe that would still prove very disruptive for our customers, and above all for donors, event registrants and members. SCA therefore remains a very high priority for Blackbaud Europe; we are fully committed to making sure our solutions are compliant with all regulations as they are currently, whilst also helping you prepare for the future.
(Please note that this does not constitute legal advice and should not be construed as legal opinion or advice on any specific facts or circumstances.)
12. What other changes should I expect to see with SCA?
Strong Customer Authentication has additional guidance around saved cards and recurring gifts. To this end, Blackbaud has taken steps to protect your recurring payments processed through Blackbaud Merchant Services (BBMS) by running a zero-value authorization for each card securely stored. This authorization allows Blackbaud to request exemptions from SCA for future recurring payments, helping you maximize your revenue, and is immediately reversed to avoid any adverse impact on the card’s account.
No fund is charged as part of this authorisation. Whilst most supporters and constituents will not see any impact at all, in some cases a 0.00 pending authorization (or, very occasionally, 0.01 or 1.00) for ‘Blackbaud SCA – Charity’ may temporarily appear on their card statement as a pending authorization, before being removed typically in 1-7 days. By following this recommended practice, Blackbaud is helping to ensure minimal to no impact on your recurring transactions as a result of SCA regulation.
We want you to be aware of this step in case your organization receives a call from a supporter as to why a zero or very low-value pending authorization from Blackbaud appears on their account statement. Details are also available in the following