Strong Customer Authentication (SCA) in Pipedrive
If your card issuing bank is in the *EU, **EEA, or ***CTC, you may be required to go through an additional step of authentication when you enter your card details or make modifications to your account and subscriptions with us. This is due to the PSD2 Strong Customer Authentication (SCA), a new European regulatory requirement designed to make online payments more secure, which came into effect on December 31, 2020.
The SCA will require an additional security step before you are able to complete your online transaction that can appear as two or more of the following:
- Knowledge – something the payer knows, including a password, pin, passphrase, etc.
- Possession – something the payer possesses, including their mobile device,
- Inherence – something the payer is, including fingerprint, facial recognition, voice patterns, etc.
This EMV 3D Secure (3DS) authentication process is handled by the financial institution that has issued your card. If you are having issues authenticating your payment, we recommend reaching out to your financial institution directly for further assistance.
What is PSD2?
The PSD2 is an *EU law aimed at providing better card-payment protection, helping reduce online card fraud and making online purchases more secure for all consumers.
The last and final part of the PSD2 is the SCA, which is the Strong Customer Authentication. This began its rollout on September 19, 2019, and was enforced from December 31, 2020.
What is SCA?
SCA stands for Strong Customer Authentication and is a form of two-factor authentication (2FA) designed to make online payments more secure in the *EU and *EEA.
In Pipedrive, when you reach the "confirm" step while updating or entering your card payment details for your Pipedrive subscription, you are likely to be prompted to complete a step of verification and authentication as requested by the financial institution that has issued your card, this is what the authentication pop up in Pipedrive will look like.
Only after strongly authenticating your payment will you be enabled to proceed with the payment.
Q: How will I know my card has been authenticated successfully?
A: You will receive an in-app notification in the case that a required payment authentication fails.
Q: What is EMV® 3-D Secure (3DS)?
A: EMV 3DS is the new industry standard and protocol for retailers to send data to card Issuers during a so-called "card-not-present" transaction to help address false declines and lower "card-not-present" fraud – while providing a better customer experience. EMV 3DS is relevant for all "card-not-present" purchases, including recurring and card-on-file payments.
Q: How can I identify what the EMV® 3-D Secure (3DS) looks like when I am making purchases online?
A: The large Credit Card Schemes and Banks have their own EMV® 3-D Secure (3DS) products.
- Mastercard’s is called: Mastercard® Identity Check™
- Visa’s is called: VERIFIED by VISA
- American Express is called: American Express SafeKey 2.0
Q: What if my authentication fails or I receive an error message?
A: To authenticate a payment, a cardholder responds to a prompt from their bank and provides additional information. This may be something you know (e.g., PIN), something you use (e.g., card, phone), or something that’s part of what you are (e.g., your fingerprint). If the payment authentication fails, you should contact the customer service number for your financial institution, which is typically found on the back of your card or on their website. Tell the customer service representative the message that you received.
Q: What if I did not receive an SMS/Text message with my one-time-passcode?
A: If your financial institution uses SMS/Text messages for authentications, you will need to contact the customer service number for your financial institution, which is typically found on the back of your card.
Q: What is the cost of the authentication SMS? Who pays this fee?
A: The SMS fee and its bearer are determined by the issuer banks, just like in the case of regular notifications. Please check the terms and conditions of your bank with regards to this service.
Q: While staying abroad will I still receive an SMS for online authentication? Who will pay the fee for this?
A: You will still receive SMS for online authentication while you are abroad. The SMS fee and its bearer are determined by the issuer banks, just like in the case of regular notifications. Please check the terms and conditions of your bank with regards to this service.
Q: What happens when my card expires?
A: You should receive a new card from your card issuer and they will usually automatically update this information in your profile. However, it might be needed to update your card number/credentials on file, if you use this service with Pipedrive.
Q: What happens if I cancel my card and then get a new one with a different account number?
A: Please speak to your card issuer with regards to the exact process which is also dependent on the services you use. For example, you might need to register the new card for their authentication program or add your new card details to your wallet or update credentials on file with Pipedrive and other online merchants you use.
Q: I would like to shop online but I don’t have my mobile phone on me or the battery is low. How can I verify my identity?
A: If your verification method of choice depends on the usage of your mobile phone, then you will be unable to execute the Strong Customer Authentication at that moment and the payment procedure will fail.
Q: I use my debit/credit card to pay some bills online automatically every month. From now on, will I have to verify my identity every time I pay?
A: Recurring payments do not need to be verified every time, no matter if the amount is the same or if it varies. Only the first payment – when setting up the regular payments – will require SCA to verify your identity and confirm the payments. You should also have an agreement between you and the retailer that specifies the reason for the payment and the payment amount (or an estimate when the precise amount is not known).
Q: I regularly shop at a specific website. Will I have to verify my identity and payment every single time in the future?
A: It is up to the Issuer bank to decide whether to take advantage of the exemptions that PSD2 allows, e.g., offering cardholders to build an "allow-list" of trusted retailers where you do not always have to authenticate yourself. They might also decide to add individual rules around what retailers or products and services qualify for an "allow-list" or if only payments below a certain threshold do not require additional authentication at allow-list retailers.
Q: My phone doesn’t have a fingerprint scanner, but does have a front camera. How can I verify my identity during mobile or contactless in-store payments?
A: In lieu of a fingerprint scanner, authentication of payments can be adjusted to other methods, such as screen lock, PIN code and face recognition or in-app authentication. This depends on the settings of your wallet and bank.
Q: Is SCA now the only reason why my Card payment was declined?
A: It depends. When a debit/credit card is used for making an online payment, there are many parties involved in the payment process: Issuing bank, Switches, Processing Platform, Acquiring Bank and Merchant platform, card networks and the Cardholders themselves.
There could be several different reasons why a payment won't go through.
- Card or other details are entered incorrectly
- Insufficient balance
- Card expired or new card hasn’t been confirmed yet
- Card issuing bank declined the transaction for security reasons
- Card has been reported as lost/stolen or it has been put on fraud alert
- Account with the merchant needs to be confirmed
- User dropped, e.g., because of time out, wrong clicks/refreshing the page
- Anti-virus, firewall software or connectivity/Wi-Fi issues
- Authentication failures
Q: Which countries will be enforcing PSD2 SCA?
A: *EU – European Union: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Republic of Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
**EEA - European Economic Area: EU + Iceland, Liechtenstein and Norway.
***CTC – Contracted Transitional Countries: United Kingdom – 14-Sep-2021 and Switzerland – Date To be Determined
**** Note: France has delayed enforcement until 01-Apr-2021
Q: Are other countries and banks outside of the *EU, **EEA, ***CTC adopting PSD2 and/or SCA?
A: PSD2 is a set of laws and regulations that applies to the *EU, **EEA, ***CTC only.
SCA using EMV® 3-D Secure is being adopted by Banks around the globe. However, this is at the discretion of the Bank Issuing the card and is not National or International law outside of *EU, **EEA, ***CTC.
Q: Questions not answered here?
A: If your question is not listed, we recommend that you contact the financial institution that issued your card as only they hold information specific to your account. Typically, there is a customer service number for your financial institution on the back of the card.