Sign in Support Partners FAQs About us

Strong Customer Authentication factsheet

What is Strong Customer Authentication?

Until now, making a card payment online involves providing the card number, expiry date and CVC number. It’s convenient, but fraudulent activity involving credit / debit cards remains a major concern to banks and consumers alike.

Strong Customer Authentication (SCA) is an element of the Payment Services Directive (PSD2) which improves the security of digital transactions. It minimises fraud by asking customers (donors) to ensure that they really are who they say they are. This is sometimes also known as Two Factor Authentication.

To some extent it is already in use - 3D Secure is a form of SCA.

How does it work?

Under SCA, when a donor/customer makes an online payment, the payment gateway decides whether the payment requires more security checks than just the card number, expiry date and CVC. If it does, the donor/customer is prompted to provide two pieces of information, from two out of three separate categories:

  • something they know - such as a password or an answer to a security question

  • something they have - such as a mobile phone or a token

  • and something they are - such as a fingerprint or face recognition

Do all payments require these checks?

There are some exemptions - see here for a full explanation. For example, cards issued outside of Europe are exempt. And repeat transactions (after the first one) for recurring amounts are exempt. Low risk transactions are exempt (this depends on factors beyond your control), and low value (less than $30) transactions are mostly exempt too, but with exceptions.

Are there exemptions for donations?

Not specifically. The general exemptions will apply, whatever the purpose of the payment.

Will it affect your organisation?

If you take payments online then yes, it applies to your organisation. Therefore you will need to make sure that your payment platforms are ready and compliant by the deadline day.

When does it come into effect?

The deadline is 14th September 2019.

What is Donorfy doing about it?

We are working with Stripe to ensure that Donorfy’s methods of giving by card (Widgets and Campaign Donation Pages) comply with SCA. We expect to comply by end of quarter 2, 2019.

What should charities do?

If you use Donorfy Stripe widgets in your website

You will need to ask your web developer / agency to add a couple of lines of code to your existing web widget code. We will issue some guidance on that as soon as it’s ready.

If you use Donorfy Campaign Donation pages

Nothing - they will start using SCA automatically when the update to Donorfy has been released.

If you use other ways to collect donations and e-commerce payments online

If you use platforms such as JustGiving, Eventbrite, CAF Donate, Virgin Money Giving and Charity Checkout (and any others) you will need to check with them regarding their compliance to SCA. Integrations between these platforms and Donorfy should remain unaffected.