Strong Customer Authentication

Frequently Asked Questions

Please read through the important information below and in our FAQ regarding the Strong Customer Authentication regulation being introduced on 14 September 2019.

SCA Webinar

Does your organisation receive online payments? If so, you need to know about the EU's new payments legislation, 'Strong Customer Authentication', being introduced on 14 September 2019.

Our free webinar, recorded on 25 July 2019, is available to view on demand.

Watch now >>

1. What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a new European requirement created to reduce fraud and make online payments more secure. From 14 September 2019, when an individual with a card issued in the European Economic Area (EEA) makes a payment online, extra levels of authentication will be required at the time of the transaction. As fraud methods are constantly changing, the aim of SCA is to reduce fraud, provide added security to online payments, and act as a “frictionless authentication,” improving the donation experience and providing security against the emergence of new online payment threats.

SCA applies to donations and paid event registrations, memberships or sponsorships, and any other online payments.

Failure to adhere to SCA will result in the rejection of donations by financial institutions across the European Economic Area (EEA). Watch Our 3 minute explainer video to get a comprehensive overview of what SCA is, and more importantly, what you should be doing to prepare for it:

You can find more specific details about the requirements on the European Banking Authority site.

2. What changes will this require?

In the past, supporters could simply enter their card number and a CVC verification code, but with the revised EU Payment Services Directive (PSD2), more information will be required at the time of payment. A new specification, 3D Secure 2.0, has been introduced to make it easier to collect SCA information at the time of the transaction. From 14 September onward, authentication must include two or more of the following:

  • Something you know, such as a password or secret fact
  • Something you own, such as a mobile phone or token
  • Something you are, such as a fingerprint or voice pattern

Whilst the number of required data points is increasing, more customer choice should mean better authentication experiences and less drop-offs!

Ensuring that the data points collected dynamically link the transactions to the amount specified by the donor when initiating the transaction.

SCA Diagram

3. Are any organisations exempt from the changes?

Those transactions where the card issuer is not based in Europe are exempt. Certain low value and low risk transactions will also be exempt from SCA, as will recurring transactions with a fixed amount (from the second transaction onwards).

Whilst the regulation directly affects EU organisations, some European banks may require SCA for organisations outside of Europe when transacting with their customers. Furthermore, it is expected that most banks around the world will adopt the new standards over time. Note that we do expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.

4. What is Blackbaud doing in response?

Blackbaud is committed to ensuring that its solutions are not only compliant with this new regulation, but also deliver great experiences for supporters.

For example, Blackbaud Checkout provides a fully mobile-responsive, dynamic and secure payment journey that will be SCA-ready and designed with your constituents in mind. We have already added this new checkout experience onto several forms, and will enhance further features across the latest versions of our digital solutions over the coming months.

5. How is my Blackbaud solution affected?

If you use one or more of eTapestry, Online Express, Blackbaud NetCommunity, Blackbaud Internet Solutions, Luminate Online, TeamRaiser, JustGiving, everydayhero, or the Payments API today, then we will update you in the next few weeks with the specific SCA details for your product(s), including any key timelines for releases, what you may need to do to implement these regulatory changes, and the support and services available should you need them.

6. Which payment gateway will support Strong Customer Authentication?

Blackbaud will support SCA in Blackbaud Merchant Services (BBMS) via Blackbaud Checkout. BBMS is our end-to-end payment processing solution and the one chosen by nearly all customers. If your organisation uses a third-party gateway, you will need to transition your online forms to BBMS in advance of the 14 September deadline. More details on when and how you can do this in your Blackbaud solution will be provided here soon.

7. Why is Blackbaud focusing effort on BBMS rather than other payment gateways?

Support for the Strong Customer Authentication (SCA) regulations requires considerable development effort. Given the scope of the work to be compliant with SCA, we are focusing our efforts on getting the primary payments platform used by the vast majority of our clients updated quickly and implementing changes in each of our solutions to the support these new requirements.

By focusing that effort on BBMS — which was created specifically for the social good community — we can help you adhere to the requirements while providing your constituents with a seamless payment experience. This experience includes value-added features, such as digital wallets, online fraud protection, payments API, credit card updater, point to point encryption, simple reconciliation, one call for all payment & application support and soon direct debit (BACS) transaction processing. It also includes integration with Blackbaud software that is not available through other payment gateways.

The innovations available from BBMS now — and those featured on our product roadmap — will protect your constituents and ultimately allow your organisation to enhance fundraising.

8. I am not using BBMS in my Blackbaud solutions, how should I best prepare?

Move to Blackbaud Merchant Services (BBMS) and Blackbaud Checkout to ensure your transactions continue to process. If you continue to use a third-party gateway, we expect that card issuers will decline those beginning 14 September 2019. To learn more about BBMS, please visit https://www.blackbaud.co.uk/solutions/payment-services/merchant-services.

9. How do I find out more?

Please look for further information from Blackbaud in your inbox over the coming weeks. We will also post updates at https://www.blackbaud.co.uk/sca.

10. How do I learn more about my specific Blackbaud products?

If you own a Blackbaud product, please click on the links below to find out more on how a specific product may be impacted

11. I heard the SCA deadline may be delayed.

Though we anticipate a gradual enforcement of Strong Customer Authentication, we still expect the first banks to start declining payments without two-factor authentication on September 14th. The European Banking Authority is the only authority across the EEA, and the EBA has already declared they will not delay SCA implementation and this law is going into effect September 14th. Rather, they will permit local country authorities, such as the FCA in the UK, to determine whether or not they will allow banks additional time to comply with SCA, and it is up to the local authorities how they will enforce the law.

Regardless of the enforcement approach taken by local authorities, some (major) banks are likely to implement SCA on 14th September, or very shortly thereafter. Our continuing recommendation to all organisations therefore is to be ready for that date. Even if only some transactions are initially declined, from some banks, we believe that would still prove very disruptive for our customers, and above all for donors, event registrants and members. SCA therefore remains a very high priority for Blackbaud Europe; we are fully committed to making sure our solutions are compliant with all regulations as they are currently, whilst also helping you prepare for the future.

(Please note that this does not constitute legal advice and should not be construed as legal opinion or advice on any specific facts or circumstances.)