Strong Customer Authentication (SCA)

Strong Customer Authentication (also known as SCA) fulfills a set of regulatory requirements, designed to reduce fraud, making online payments more secure while establishing trust with consumers. SCA adds an extra layer of security by using a third party like a bank to verify the end-customer prior or during an online payment. Riverty currently offers this functionality in Sweden, Norway, Denmark, Finland, Germany, Austria, Switzerland and the Netherlands.

Practical Use

SCA is used for risk handling (consumer ratings and fraud risk). For Norway and Sweden SCA is almost always mandatory as it is a key element of fraud prevention and it is a known process for online shoppers. In Sweden SCA is used by 98% of the population between 18-67 years of age.

Country Specifics

Country	Sweden	Norway	Finland	Denmark	Netherlands	DACH
Name of eID method	BankID (SE)	BankID (NO)	FTN (Finnish Trust Network)	MitID (replaces NemID)	iDIN	One Time Password (SMS/Email)
Required field(s)	Identification number	Identification number	Identification number	Identification number	Date of birth, first name, last name	Phone Number, Email Address
Country specific restrictions					Only for customers using the following banks: ABN AMRO, ASN Bank, Bunq, ING, Rabobank, RegioBank, SNS. More info: https://www.idin.nl/en/can-i-use-idin/
To trigger on test environment	First item description has to be SCAHigh	First item description has to be SCAHigh	First item description has to be SCAHigh	First item description has to be SCAHigh	First item description has to be SCAHigh The last name has to be Vries and date of birth has to be 1975-07-25	First item description has to be: For SMS: OTP_REQUIRED_SMS For Email: OTP_REQUIRED_EMAIL For both SMS or Email: OTP_REQUIRED_SMS_OR_EMAIL For Date of Birth: OTP_REQUIRED_DoB For SMS and Date of Birth: OTP_REQUIRED_SMS_AND_DoB For Email and Date of Birth: OTP_REQUIRED_EMAIL_AND_DoB

Implementation

The SCA implementation uses a redirect flow which requires the end-customer to be redirected to the secure login URL that was provided by Riverty API during the Authorize Payment or Verify request. The end-customer will be presented with a page with further instructions. After the verification process is completed the end-customer is redirected back to merchant’s web page.

Riverty will decide for which orders and customers SCA will be triggered. This decision is based on a number of parameters, such as order amount, shipping address and other fraud and risk related variables.

1. The customer selects Riverty at the merchant's checkout and clicks ‘Pay’ to finalize the purchase.
2. The merchant sends an authorization request to the Riverty API with customer and order details, including the 'merchantUrl' where the customer will be redirected after completing or canceling the Strong Customer Authentication (SCA) process.
3. Based on the merchant's configuration, the Riverty API determines if SCA is required. If SCA is needed, the API responds with "outcome": "Pending", along with a risk message such as "message": "Strong identification needed" and "code": "200.910"
4. The authorize payment response contains a “secureLoginUrl”
5. The merchant redirects the customer to the “secureLoginUrl”
6. The customer completes identity verification using their country-specific eID method.
7. After successful authentication, Riverty redirects the customer to the merchant's return URL provided in step 2.
8. Upon the customer’s return, the merchant must make a GetOrder request to the Riverty API to check the order status:
   • If the order is accepted, the purchase is finalized.
   • If the order is canceled, expired, or pending, the purchase is not finalized. A pending order will time out after 15 minutes, requiring the customer to try again with a new order number.

Timing of the GetOrder Request:

• Trigger the GetOrder request as soon as the customer is redirected to the merchant's return URL.
• If the customer hasn't returned within one minute, initiate the GetOrder request automatically.
• While the order status is "Pending", continue sending GetOrder requests at 30-second intervals.
• Stop sending requests after 15 minutes, as the order status will automatically change to "Expired" at that point.

Mobile APP & IOS compatibility

When initiating the SCA process within a mobile app, it is crucial to open the Secure Login URL in the native or system browser. If the SCA flow is opened via a WebView integration, particularly on iOS devices, users may encounter difficulties when attempting to return to the merchant URL to complete the process.