How-to Documentation

Strong Customer Authentication

Consumers are making more online payments than ever before. With this increase comes a rise in online credit card fraud. European Banking Authority (EBA) in the European Union (EU) has introduced new requirements for validating online payments called Strong Customer Authentication (SCA), which comes into law on September 14, 2019. These requirements are intended to protect consumers against online fraud.

At Blackbaud, security and fraud protection are a top priority when processing payments. We continue to increase the security profile of our solutions to reduce the possibility of our customers being impacted by online fraud and ensure online donations and payments meet the requirements of SCA.

If you are an EU organization, please visit Strong Customer Authentication FAQ for EU Organizations for more information and resources.

If you are an organization outside of the EU, please refer to our FAQ below to find out more information about SCA and whether you may be impacted.

SCA for Organizations Outside of the EU

While SCA is an EU regulation, organizations outside of the EU might still be impacted by SCA. We have prepared a FAQ to help answer questions surrounding SCA and developed a comprehensive set of resources to assist you in your SCA compliance practices, should you determine that your organization needs to comply.

1. What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a new European requirement created to reduce fraud and make online payments more secure. Beginning September 14, 2019, when an individual with a card issued in the European Economic Area (EEA) makes a payment online, extra levels of authentication will be required at the time of the transaction. As fraud methods are constantly changing, the aim of SCA is to reduce fraud, provide added security to online payments, and act as a “frictionless authentication,” improving the payment experience and providing security against the emergence of new online payment threats.

SCA applies to donations and paid event registrations, memberships or sponsorships, tuition payments and any other online payments made with credit or debit cards. If you have constituents making payments to your organization using European-issued credit or debit cards, those payments may be subject to SCA requirements.

Failure to adhere to SCA will result in the rejection of donations or payments by financial institutions across the European Economic Area (EEA).

You can find more details about the requirements on the European Banking Authority site.

2. To whom does SCA apply?

SCA standards apply to payment processors, card issuers, cardholders, and merchants in the European Economic Area (EEA). While the regulation directly affects EU organizations, some European banks may require SCA for payment transactions to organizations outside of Europe. In other words, if you have constituents making online payments to your organization using European-issued credit or debit cards, those payments may be subject to SCA requirements. While we expect this risk to be low, we encourage you to assess the volume of your donations originating from the EEA and ensure your Blackbaud solution is updated to the appropriate SCA-compliant version.

We recommend that you review our Strong Customer Authentication FAQ for EU Organizations for more information on preparing your online payment pages to be SCA-compliant .

3. How are my Blackbaud solutions affected?

Blackbaud is actively updating the following products to comply with SCA requirements: Blackbaud eTapestry, Blackbaud Online Express, Blackbaud NetCommunity, Blackbaud Internet Solutions, Blackbaud Luminate Online, Blackbaud TeamRaiser, JustGiving, everydayhero, and the Payments API. If your organization accepts online payments from constituents in EEA, we recommend you visit our Strong Customer Authentication FAQ for EU Organizations.

4. What resources are available?

Blackbaud provides SCA-specific updates to its solutions via existing release notes and communication methods. In addition, we have a Strong Customer Authentication FAQ for EU organizations.

You can find more details about the requirements on the European Banking Authority site.