Blog posts

A guide to Strong Customer Authentication for charities

Chris Houghton
September 10, 2019

       "Strong Customer Authentication" (SCA) sounds like a term from the pre-Windows days of computers. It's actually a new EU online payments regulation that's important to be aware of.

On Saturday 14th September 2019, a new regulation called PSD2 is due for roll out, which will require Strong Customer Authentication (SCA) for many online payments made by European customers.

In this post, we'll take a look at how SCA might affect your charity or nonprofit, so there's no nasty suprises when the regulation comes in this Saturday.

       What is it?

For a number of years, you've probably seen a feature called 3D Secure used when making payments online. It's an extra (often clunky) step that requires a customer or donor to provide additional verification with their bank when making an online payment.

For example, some Visa customers need to confirm payments by entering their banking password:


There's a better looking and mobile friendly version of this called 3DSecure 2 that's rolling out in 2019. (It will look slightly different for every bank)

Screenshot 2019-09-10 at 07.36.38

In short, the introduction of SCA means that some payments (not all) made online may need to go through this additional verification step in order to be completed.

       Does this affect my charity?

If you have any donors or other supporters in the EU making debit/credit card payments to you online then yes, SCA will absolutely affect you.

While the initial plan was an EU-wide roll-out on September 14th, many countries are taking a slower approach - meaning no extra verification step for donors in those countries... yet.

In the UK, SCA has been delayed by 18 months, so no UK supporters will need to go through this additional verification step.

       Why has the EU introduced this?

To combat fraud. An additional verification step makes it harder for the pesky fraudsters to make their fake payments!

       Do I need to do anything?

It depends on how you take payments online. More information below:

       CRM platforms

Many CRMs and fundraising platforms like Beacon allow you to take donations and other payments online on your website.

You shouldn't need to do anything here - but check with your provider if you're not sure where they stand! (Beacon supports this out of the box)

If you're a Beacon customer, learn more about how Beacon handles SCA.

       Other platforms

If you're taking donations through JustGiving or Virgin Money Giving, selling tickets through Eventbrite, no action should be required here either.

These are businesses who depend on processing payments online - they wouldn't let this slip past them! But again, check if you're not sure.

       Direct debits

Direct debits are not affected by SCA - no need to anything here!

       Custom integrations & plugins

If you've built your own integration on your website using a provider like Stripe then yes, some changes will be required. You'll either need to update your integration, or switch to a platform like Beacon to accept donations.

Additionally, if you're using a Wordpress plugin to take donations, you need to make sure that it supports SCA. This might just be a matter of updating to the latest version.

       Phone donations

To date, there's been very little discussion about how SCA affects taking donations over the phone.

If you regularly have donors ringing you up to make a payment (donation or otherwise), it might not be as simple as it used to be.

The donor will give you their card details, but an additional verification step might still be required, likely be in the form of a push notification or SMS message.

Technically speaking, an over-the-phone payment is still processed online, so it can still be subject to the new SCA verification process. Something to be aware of!

       Going forwards

While SCA has been delayed for UK supporters for the time being, this is a new challenge that's here to stay.

The good news is, it's a challenge that's very solveable with technology and perhaps a little change in process.

Got a question? Feel free to leave a comment and I'll get back to you with more information.