Strong Customer Authentication
Frequently Asked Questions
Please read through the important information below and in our FAQ regarding the Strong Customer Authentication regulation being introduced on 14 September 2021 (recently moved from 31 December 2020). Please note that since 1 January 2021 we have seen an increase in banks requesting SCA for transactions.
Does your organisation receive online payments? If so, you need to know about the EU's new payments legislation, 'Strong Customer Authentication', being introduced on 14 September 2021.
Our free webinar, recorded on 25 July 2019, is available to view on demand.
1. What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a new European requirement created to reduce fraud and make online payments more secure. From 14 September 2021, when an individual with a card issued in the European Economic Area (EEA) makes a payment online, extra levels of authentication will be required at the time of the transaction. As fraud methods are constantly changing, the aim of SCA is to reduce fraud, provide added security to online payments, and act as a “frictionless authentication,” improving the donation experience and providing security against the emergence of new online payment threats.
SCA applies to donations and paid event registrations, memberships or sponsorships, and any other online payments.
Failure to adhere to SCA will result in the rejection of donations by financial institutions across the European Economic Area (EEA). Watch Our 3 minute explainer video to get a comprehensive overview of what SCA is, and more importantly, what you should
be doing to prepare for it:
You can find more specific details about the requirements on the European Banking Authority site.
The date of the deadline in the webinar has now changed to 14 September 2021.
2. What changes will this require?
In the past, supporters could simply enter their card number and a CVC verification code, but with the revised EU Payment Services Directive (PSD2), more information will be required at the time of payment. A new specification, 3D Secure 2.0, has been introduced to make it easier to collect SCA information at the time of the transaction. From 14 September onward, authentication must include two or more of the following:
- Something you know, such as a password or secret fact
- Something you own, such as a mobile phone or token
- Something you are, such as a fingerprint or voice pattern
Whilst the number of required data points is increasing, more customer choice should mean better authentication experiences and less drop-offs!
Ensuring that the data points collected dynamically link the transactions to the amount specified by the donor when initiating the transaction.
3. Are any organisations exempt from the changes?
Those transactions where the card issuer is not based in Europe are exempt. Certain low value and low risk transactions will also be exempt from SCA, as will recurring transactions with a fixed amount (from the second transaction onwards).
Whilst the regulation directly affects EU organisations, some European banks may require SCA for organisations outside of Europe when transacting with their customers. Furthermore, it is expected that most banks around the world will adopt the new standards over time. Note that we do expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.
4. What is Blackbaud doing in response?
Blackbaud is committed to ensuring that its solutions are not only compliant with this new regulation, but also deliver great experiences for supporters.
For example, Blackbaud Checkout provides a fully mobile-responsive, dynamic and secure payment journey that will be SCA-ready and designed with your constituents in mind. We have already added this new checkout experience onto our forms, and have enhanced further features across the latest versions of all our digital solutions.
5. How is my Blackbaud solution affected?
If you use one or more of eTapestry, Online Express, Blackbaud NetCommunity, Blackbaud Internet Solutions, JustGiving, or Blackbaud CRM, please refer to SCA product instructions to review what steps you need to take, if any, so your Blackbaud solution accepts payments when Strong Customer Authentication (SCA), comes into effect on 14 September 2021.
6. Which payment gateway will support Strong Customer Authentication?
Blackbaud will support SCA in Blackbaud Merchant Services (BBMS) via Blackbaud Checkout. BBMS is our end-to-end payment processing solution and the one chosen by nearly all customers. If your organisation uses a third-party gateway, you will need to transition your online forms to BBMS in advance of the 14 September deadline.
7. Why is Blackbaud focusing effort on BBMS rather than other payment gateways?
Support for the Strong Customer Authentication (SCA) regulations requires considerable development effort. Given the scope of the work to be compliant with SCA, we are focusing our efforts on getting the primary payments platform used by the vast majority of our clients updated quickly and implementing changes in each of our solutions to the support these new requirements. JustGiving is ready for Strong Customer Authentication today, and you do not need to take any further steps.
By focusing that effort on BBMS — which was created specifically for the social good community — we can help you adhere to the requirements while providing your constituents with a seamless payment experience. This experience includes value-added features, such as digital wallets, online fraud protection, payments API, credit card updater, point to point encryption, simple reconciliation, one call for all payment & application support and soon direct debit (BACS) transaction processing. It also includes integration with Blackbaud software that is not available through other payment gateways.
The innovations available from BBMS now — and those featured on our product roadmap — will protect your constituents and ultimately allow your organisation to enhance fundraising.
8. I am not using BBMS in my Blackbaud solutions, how should I best prepare?
Move to Blackbaud Merchant Services (BBMS) and Blackbaud Checkout to ensure your transactions continue to process. If you continue to use a third-party gateway, we expect that card issuers will decline those beginning 14 September 2021. To learn more about BBMS, please visit https://www.blackbaud.co.uk/solutions/payment-services/merchant-services.
9. How do I find out more?
Please look for further information from Blackbaud in your inbox over the coming weeks. We will also post updates at https://www.blackbaud.co.uk/sca.
10. How do I learn more about my specific Blackbaud products?
If you own a Blackbaud product, please see SCA product instructions to find out more on how a specific product may be impacted.
If your organisation currently uses a third-party payment gateway with your Blackbaud solution, then you will need to transition your online forms to Blackbaud Merchant Services (BBMS) to ensure compliance with SCA.
11. What other changes should I expect to see with SCA?
Strong Customer Authentication has additional guidance around saved cards and recurring gifts. To this end, Blackbaud has taken steps to protect your recurring payments processed through Blackbaud Merchant Services (BBMS) by running a zero-value authorization for each card securely stored. This authorization allows Blackbaud to request exemptions from SCA for future recurring payments, helping you maximize your revenue, and is immediately reversed to avoid any adverse impact on the card’s account.
No fund is charged as part of this authorisation. Whilst most supporters and constituents will not see any impact at all, in some cases a 0.00 pending authorization (or, very occasionally, 0.01 or 1.00) for ‘Blackbaud SCA – Charity’ may temporarily appear on their card statement as a pending authorization, before being removed typically in 1-7 days. By following this recommended practice, Blackbaud is helping to ensure minimal to no impact on your recurring transactions as a result of SCA regulation.
We want you to be aware of this step in case your organization receives a call from a supporter as to why a zero or very low-value pending authorization from Blackbaud appears on their account statement. Details are also available in the following