Cookie Law, GDPR, and now SCA from the EU, where does it end? If you’re hoping Brexit then think again as Strong Customer Authentication is coming irrespective (in fact most EU data laws have roots in UK law).
However this time the work is being done at payment processors like PayPal and your bank and means you probably don’t need to do anything and will end up more secure.
What does SCA mean and how does it protect me/ my customers?
You may have noticed when buying something online at the payment step the checkout shows a new notice saying ‘we will be making this more secure soon/ you might get a text message code’. This is SCA, checking that the online purchase that has been initiated is indeed you.
But it goes further than that, to include fingerprint authentication (like within Apple’s iOS and Google’s Android). You might see it also called ‘3D Secure 2’ which is an update on an existing standard that effectively measures the risk of each transaction with some additional information from your bank/ some letters from your passcode to decide whether a transaction is likely fraudulent (eg. payments in Glasgow when you seem to be in Cornwall).
It won’t impact all transactions, some ‘low risk’ ones might be exempted from this step. But if you run an online store, unless you provide an integrated payment system, there is nothing you will need to do other than to likely accept a new set of terms and conditions. The ‘authentication’ is done by the payment processor, eg. PayPal, Stripe, ApplePay, your bank, etc.
If you’re a couple and share accounts, this could cause a bit of an issue. For example you have one Amazon Prime account for the house which is attached to one card, but the confirmation text would then go to your partners phone. Similarly if you share an online grocery account and one of you is doing the shopping it might be only possible for one of you to checkout unless you’ve added both cards.
However these first-world problems pale in comparison to the fact that there might be a substantial reduction in the amount of fraud you are potentially exposed to; and possibly also more awareness of how much you are spending where.
Will this stop fraud?
We all know the answer is ‘of course not’, and there has been a significant lead up to the introduction of this legislation and getting around additional authentication methods, especially text verification, has been possible for a while. Think of a text a bit like an email sent over the air.
What else can I do?
So please do consider updating your passwords to be a bit stronger (especially your email), and especially to delete old accounts which are no longer in use (eg. that shop you bought something from once and keeps emailing you). It will contain important ID information like name, email, postal address, date of birth and possibly card details.
Get a Virtual Private Network (VPN) service
It might sound confusing, but when you connect to wifi in a coffee shop or somewhere public if there isn’t a password involved then everything you type can be picked up, or ‘sniffed’ by someone on the same network.
So you might want to consider not purchasing things in a public space, or checking your bank account, but there’s more data flowing than you realise, including your email and texts (for verification).
A Virtual Private Network is a service that you connect to which provides an encrypted tunnel (which can’t be sniffed) to another computer in your country, which also hides your location. In fact you can use it to appear to be in other countries too, eg. to watch geographically restricted content or make a purchase like a flight – though that’s a potential moral grey area.
A VPN will be a small program on your computer, or app on your devices (yes, your phone and tablet also need protection) and will automatically connect you, though you can make exceptions like your home and work wifi. And the cost is just a few £s a month, like NordVPN (Affiliate link).