March 14, 2022, Strong Customer Authentication (SCA) regulation becomes mandatory in the UK. Banks and online retailing organizations operating in the UK have to ask consumers for additional identity checks when they make an online purchase. It is believed that this regulation will reduce online fraud and ensure internet payment security. Will it be helpful? Experience tells us that fraud will not disappear. It changes into other forms that are harder to detect. 

Previously on SCA

September 14, 2019, SCA was enforced in European Economic Area (EEA) as a part of Payments Services Directive (PSD2) requirements to deter online transaction fraud by requiring additional identify authentication before payment. Countries in the EEA will require that online businesses and banks follow the SCA process when it comes to online payment. And now, organizations in the UK also have to follow this regulation. 

What is SCA

SCA applies to online transactions in the EEA, Great Britain, and Northern Ireland. 

To do this, banks and organizations often ask for Two Factor Authentication (2FA) before payment that combines two forms of identification. The options are shown below.

  • What consumers know, e.g. password;
  • What consumers have, e.g. a device;
  • What consumers inherence, e.g. fingerprint.

Image source: Visa

Transactions that do not follow the SCA requirements will be denied unless they meet SCA exemptions.

How do fraudsters cope with SCA?

The main reason to enforce SCA is to help to reduce e-commerce fraud. As increasing payment is made online and the e-commerce fraud trend rises, the fraud pressure for European online retailers is mounting. Bot-driven fraud, like account takeover (ATO), data scalping, credential stuffing, denial of inventory, etc, repeatedly happens to European online retailing. Studies show that e-commerce losses to online payment fraud were around US$20 billion globally in 2021. That is a growth of over 14 percent compared to the US$17.5 billion recorded in the previous year (even though some countries in Europe already implemented SCA regulation).

Image source: Signifyd

However, SCA regulation has exemptions, which means that not all transactions have to apply to SCA requirements. Fraudsters can totally switch to transactions that are out of SCA scope. 

ATO will be the best alternative for fraudsters. As it is harder for fraudsters to use fake or stolen identities to commit crimes under SCA regulation, they can get card holder’s information and build a real identity with this information they collected through account takeover attacks on social media platforms.

From an online retailer's perspective, SCA apparently makes it more difficult for them to get orders since consumers are asked to take extra steps before payment. So online sellers may turn to the SCA exemptions, which is also what fraudsters hope. 

Therefore, with SCA requirements, online fraud seems under control, but what fraudsters do simply is manifest themselves elsewhere.

Audit your fraud prevention strategies

In order to keep up with the new fraud trend after SCA regulation become Europ-wide mandatory, organizations in the UK and the EEA should review their fraud prevention strategies. 

Here are suggestions from GeeTest fraud prevention and bot mitigation experts.

Avoid SCA exemptions

Fraudsters are likely to exploit SCA exemptions, so it is better to ensure that all orders made in your organization are protected by SCA regulations. See details of SCA exemptions here.


HTTPS is the secure version of HTTP. It encrypts data to protect credential information, such as user names, addresses, and credit card numbers. Using HTTPS prevents your websites and orders from hackers, cybercriminals, and fraudsters. 

Manage bot activities

ATO, credit card fraud, data scalping, etc are all bot-driven attacks. So focusing on bot activities on your websites will help you notice unusual visitors and orders right away. Bot prevention service, like CAPTCHA, is one of the best ways to secure websites from bot attacks. Check the demo of GeeTest Adaptive CAPTCHA.

Final words

The Europe-wide rollout of SCA will certainly help reduce online fraud, but it is not an end-all. The fraud trend will outsmart the regulation someday eventually. Being vigilant and efficient in web security and bot activities will be the “real” solution.

Start your free trial
Over 320,000 websites and mobile apps worldwide are protected by GeeTest captcha

Hayley Hong

Content Marketing @ GeeTest