It’s our job to make sure we’re providing you with the tools you need to run your business easily, safely and securely. So we've added an extra layer of security for users making a payment via our platform. You’ll find a list of frequently asked questions below.
What is Strong Customer Authentication (SCA)?
Strong Customer Authentication is a regulatory requirement for authenticating online payments in Europe as part of the second Payment Services Directive (PSD2). It aims to enhance the security of online payments and reduce fraud during the authentication process, by making sure the person creating a payment from their account is who they say they are.
When was SCA activated?
SCA was turned on at 11 am UK time on Tuesday, 22nd September 2020 and is applied to all applicable payments.
How does SCA work?
When instructing some payments, an additional identifying factor will be requested. Just like when logging into Currencycloud Direct with 2FA, SCA requires clients to use two of the following authentication factors:
- Something that only the client knows (such as a password);
- Something that only the client possesses (such as a phone); OR
- Something that the user is (such as a fingerprint).
To keep things simple, users will be asked to authenticate payments using the same method they use for logging in with 2FA - the Authy app. If you can’t access Authy, you can receive a code via SMS.
Which payments require SCA?
SCA applies to online transactions that are instructed by a payer from within the EEA via our payment platform.
Not all payments require SCA. Where there is a very low risk of fraud, the following types of transaction may be exempt:
- Low-value transactions - most transactions under 30 EUR are exempt. We may occasionally ask users to approve lower value payments to be on the safe side (for example, when you send money to a new beneficiary).
- Trusted beneficiaries - we don’t require SCA when a client initiates a payment to a beneficiary who is included on a list of ‘trusted beneficiaries’. This list includes beneficiaries that the user has previously paid.
- Recurring transactions - we don’t require SCA when a client executes a payment to the same beneficiary for the same amount. We only require SCA for the first payment of recurring transactions.
- Transfers between accounts that belong to the same clients and are held by us.
- Payments that are initiated via telephone order where other controls are in place to verify a user’s identity.
All transactions through our platform are monitored for fraudulent payment attempts. If we consider it necessary, the exemptions above may be revised to reduce the fraud risk to Currencycloud customers.
How do I authenticate a payment?
If a payment requires authentication, there will be an additional step on the Currencycloud Direct payment journey. It will prompt you to authorise your payment using the Authy app on your registered device(s), where you can check that the payment details match what you entered on Direct. You will need to either tap ‘approve’ on the request or enter the code shown on your device. You can choose to receive the code by SMS if you prefer.
Tip - we recommend you enable push notifications on the Authy app on your mobile device. This makes it much easier to approve a payment with just one click.
I make payments through the API, will they be affected?
No, payments made through the API are not affected by SCA.
How often will I be asked to verify my identity?
You will be asked to verify yourself using 2FA when you log on to Currencycloud Direct - every time you log in from a device you haven’t used before, and every 15 days from a trusted device (you can choose to remember a device for 15 days). In addition, every payment requiring SCA will need to be authenticated individually, regardless of whether 2FA was required at login.
Which device is the authentication request sent to?
To keep things simple, we use the same details you use to login to Direct. Whichever device(s) you use to login with 2 factor authentication can also be used to approve a payment. You can authenticate payments via the Authy app - using the ‘one-touch’ approval or by generating a one time passcode. If you can’t access Authy, you can receive a code via SMS.
What if I don’t have my mobile device with me?
You need to have access to a registered device to receive your 2-factor authentication prompts in order to keep your account secure. The best thing to do is to enable Authy Multi-Device which allows multiple trusted devices to use the same Authy account. This will also help if you ever lose access to one of your devices. As a reminder, you should always make sure that you are using the latest software version on all devices for maximum security. If you can’t access any of your devices and urgently need to access your account, please contact our support team.
I’ve lost my phone or have a new phone number - what can I do?
There are a number of options, the easiest being if you already have more than one device registered.
- If you have access to another registered device you can use it to manage your devices, including changing your phone number.
- If you have access to a new phone with the same number then you can restore your Authy account on your new phone. You will need to download the app and follow the steps to verify your identity.
- If you have a new phone number and don’t have another registered device, you can request to change your phone number.
Our FAQ about using Authy can be found here.
Does SCA still apply after Brexit?
Although SCA is an outcome of EU regulation, it continues to be enforced in the UK after Brexit.
I’m experiencing problems with 2FA or my Authy app
For more answers regarding your Authy app and 2FA set-up, please see our FAQ for two-factor authentication.